Gartner Security & Risk. Management. Summit Visit gartner.com/us/securityrisk or call to register

Transcription

1 Visit gartner.com/us/securityrisk or call to register FIVE COMPLETE PROGRAMS CISO Program IT Security Business Continuity Management Risk Management and Compliance New! The Business of IT Security and Risk Gartner Security & Risk Management Summit 2012 June National Harbor, MD gartner.com/us/securityrisk

2 HOT TOPICS Advanced persistent threats and vulnerabilities Secure mobile applications Cloud and security E-discovery and information governance Network and infrastructure security Social media and security Crisis/incident management Supply chain risk management Identity and access management Enterprise risk management Regulatory compliance Privacy Strategic road maps to secure the enterprise and reduce risk Challenges abound for those charged with making sure business is secure and resilient in the face of threat and adversity. Enterprises of every stripe face a dangerous threat landscape that is evolving rapidly, thanks to swift-moving trends such as cloud, mobile and social technologies. New anti-fraud, anti-corruption and other regulatory changes pose more challenges. Complexity is rising, big data keeps getting bigger and lean budgets require you deliver more with every investment. At the same time, as growth returns to the business cycle, risk management culture is growing in sophistication and relevance across the organization. Embracing and managing risk while mitigating vulnerabilities and becoming more resilient becomes a critical discipline for business success. As the premier gathering of enterprise IT security and risk management executives, the Gartner Security & Risk Management Summit 2012 takes a comprehensive look at the entire spectrum of IT security, business continuity management and risk, including: network and infrastructure security, identity and access management, compliance, privacy, fraud, business continuity management and resilience. This year s summit offers over 140 sessions and five in-depth, role-based programs: CISO Program IT Security Risk Management and Compliance Business Continuity Management (BCM) New! The Business of IT Security and Risk EARN CPE CREDITS Attending the summit helps you advance your continuing professional education (CPE). Registered participants are eligible to earn CPE credits toward ISC2, ISACA, DRII, and IAPP certification programs. Learn more at gartner.com/us/securityrisk. WHAT S NEW FOR 2012 Additional program added to the agenda! The Business of IT Security and Risk New keynote format! Mastermind Interview With Michael Dell, CEO, Dell Special CISO-only sessions and networking opportunities Special workshop! Implementing BCM Standards for BCM Maturity and Organizational Certification Enhanced Risk Management and Compliance Program! New research on legal and regulatory risk trade Advanced CISO virtual track! Advanced sessions for those with experience in the CISO role New Gartner Magic Quadrant technology evaluations More opportunities to interact with vendors! More than 90 solution providers on-site 2 Gartner Security & Risk Management Summit 2012 June National Harbor, MD

3 Benefits of Attending Gain practical insight to improve your IT security and risk management strategy If you re tasked with protecting critical infrastructure, you ll benefit tremendously from four days of intensive, practical learning, including how to: Structure and manage each of your individual IT risk programs Balance and coordinate those programs Make IT risk programs more efficient and effective Select approaches and vendor solutions Articulate security and risk requirements in business language Integrate BCM with overall risk and security programs Who should attend? CIO, CSO, CISO, CRO, CFO, CCO, CGO, CLO, CPO and CTO titles IT vice presidents and directors Governance, risk, compliance, and privacy executives, directors and managers Senior business executives General counsel Finance, audit, legal risk and compliance and regulators Enterprise and operational risk managers Business continuity, disaster recovery managers Exclusive! CISO and CRO Invitational Programs Concurrent with the summit, CISO and CRO Invitational Programs provide a forum for the exploration of top-of-mind leadership, IT security, privacy and risk management issues for CISOs, CSOs and CROs. In these intensive programs, guest executives meet with leading technology providers to exchange ideas and strategies. Participation includes gratis travel, hotel and registration and is by invitation only on a first-come, first-served basis. To learn more and apply, visit gartner.com/us/securityrisk. By 2015, enterprises will be forced to implement integrated GRC to support converged IT and corporate governance, as well as improvement of business performance Gartner Predicts Visit gartner.com/us/securityrisk for agenda updates and to register TABLE OF CONTENTS 4 Summit Programs 5 Virtual and Vertical Tracks 6 Keynote Sessions 7 CISO Program 9 IT Security Program 12 BCM Program 14 Risk Management Program 16 The Business of IT Security and Risk Program 17 Session Descriptions 27 Solution Showcase 30 Agenda at a Glance 33 Registration 3

4 SUMMIT PROGRAMS Analyst One-On-Ones Meet face to face with a Gartner analyst in up to two personalized 30-minute private appointments to discuss your specific risk management and compliance issues. Walk away with invaluable, tailor-made advice that you can apply to your role and your organization immediately. Preregistration is recommended. Analyst-User Roundtables Join us for a hosted peer group discussion with your end-user peers, moderated by a Gartner analyst lending his or her expertise to assist you. Share the latest best practices among your peers. Preregistration is recommended. Five complete programs deliver in-depth insight Chaired by experts in each discipline, five distinct agenda programs facilitate a more targeted learning and networking experience. CISO Program You ve got the job; now what? Being CISO means understanding the big picture and articulating it clearly to the highest levels of the organization. Critical criteria for success include evaluating enterprise risk, dealing with legal issues and understanding security architecture. In recommended and exclusive CISO-only sessions, new CISOs can get up-to-speed while veterans update their insights. And for those who are more experienced, we have added an Advanced CISO virtual track. IT Security Both business and technology issues affect how well organizations protect themselves from threats and vulnerabilities, and how effectively they step up to opportunities. From the cloud to the network, from protecting applications and data to keeping mobile and remote computing safe, security has a direct impact on the bottom line. Here we look at important updates in key trends, big-picture strategy and technical specifics. Plus, we take a deep dive into a variety of security architecture with our Technical Insights virtual track. Business Continuity Management How does the enterprise ensure continuing business operations and systems availability when a business interruption occurs anywhere in the organization? In these sessions, we give you the tools to anticipate the unanticipated and work to reinforce a discipline of risk management, response, recovery and resilience in the corporate culture. Risk Management and Compliance Measuring and managing risk, and complying with a variety of global rules, regulations and laws about financial transactions and privacy, have become critical components of successful operations in the worldwide environment. This program focuses on technologies and strategies to improve governance, manage risk and conform to the letter and spirit of the law. Technical Insights sessions This year s summit features a virtual track on Technical Insights that provides detailed, technically oriented guidance on architecture and planning considerations for protecting information associated with new devices and service hosting models. NEW! The Business of IT Security and Risk How big is the security and risk market for software and services, and who are the market leaders? Where are the innovations coming from? What new threats are being addressed by point solutions? This all-new program looks at this extremely dynamic market, presenting the financial and strategic views that CISOs, investors and media need to make informed evaluations. 4 Gartner Security & Risk Management Summit 2012 June National Harbor, MD

5 Virtual and Vertical Industry Tracks Virtual and vertical industry tracks make it easy to follow a key trend, hot topic or address industry issues in relevant sessions pulled from across all five conference programs. To further customize any track, visit the Agenda Builder at gartner.com/us/securityrisk. Virtual tracks Mobility and Security Business-critical system and data issues emerging from new wireless technologies Cybersecurity Cybersecurity issues such as organized teams of hackers that impact both the private and public sectors Cloud Computing The new imperative to know your risk profile, understand the risks cloud computing can create, minimize those risks, and move forward appropriately Privacy Emerging technologies that have an impact on privacy, but also those that can help to protect personal information and how to pay for them Identity and Access Management How IAM can evolve and mature to help businesses weather today s volatile and rapid change Managing Legal and Regulatory Risk How the IT organization can better support the chief legal officer and corporate compliance officer as they face a proliferation of regulation and litigation Advanced CISO Take your professional development to the next level with sessions to address specific business needs Technical Insights Explore the architecture and planning considerations for protecting information associated with new devices and service hosting models Social Media What can be done about the risks of emerging social media and how do they balance against the opportunities? Vertical industry tracks Financial Services Fighting fraud while keeping online banking seamless and efficient Government Developing cohesive national cybersecurity initiatives in partnership with consumers and the public sector Healthcare Increasing quality of service delivery, reducing compliance costs and anticipating healthcare reform while maintaining patient privacy and protecting intellectual property Energy/Utilities Establishing effective and efficient smart grid technology while combating for fraud, cyberattacks and the loss of control Manufacturing Managing increasingly interconnected and complex control networks while reducing costs, maintaining system integrity and protecting proprietary data Maximize your experience with our unique conference features First-class peer networking Engage in informal and structured networking opportunities such as workshops, networking breakfasts by industry, conference receptions and more. Hands-on workshops These small group workshops immerse you in real-world problem solving, with practical take-aways. Tutorials Join us for our complimentary preconference sessions to get up-to-speed and gain an overall perspective on security and risk management terms and definitions. Solution Provider Showcase Meet with today s leading and emerging security and risk management solution providers all under one roof, and get the latest information and demos on new products and services. Visit gartner.com/us/securityrisk for agenda updates and to register 5

6 KEYNOTE SESSIONS Guest keynotes Michael Dell Chairman and CEO Dell John Hodgman Actor, Author and Correspondent for The Daily Show Howard Schmidt Cybersecurity Coordinator and Special Assistant to the President (Accepted) Mastermind Interview With Michael Dell, Chairman and CEO, Dell It s been over a year since Dell made its move into information security by acquiring SecureWorks, a managed security services provider. The transition from being a stand-alone, pure-play security provider to a unit within a larger IT vendor often causes organizational integration issues or loss of focus, but Dell has had a positive view. What s on the road map for Dell, how does it see information security and what are its prospects? Chairman of the Board and CEO Michael Dell answers the analysts and your questions about Dell, security and risk. Information Security and Technology in General Problem Solved. You re Welcome The Daily Show correspondent and PC personified in the long-running Mac vs. PC ad campaign, John Hodgman, has done it all from TV and film to best-selling books. He has been seen on HBO s Bored to Death and Flight of the Conchords, and in movies like Arthur, The Invention of Lying and Baby Mama. As an author, his first book was The Areas of My Expertise, followed by More Information Than You Require. His final book in this trilogy on complete world knowledge is That Is All. Cybersecurity: A View From the White House Howard Schmidt is Cybersecurity Coordinator and Special Assistant to the President (Accepted), former vice chair of the President s Critical Infrastructure Protection Board, and former Chief Information Security Officer at Microsoft and ebay. Here he discusses the Obama administration s effort to reduce cyberthreats. This includes the administration s legislative proposals and plans to protect critical infrastructure such as the electric grid, transportation systems and Wall Street, as well as protecting U.S. military defenses and businesses from cyberattacks. Gartner keynotes Opening Keynote: Strategic Road Maps for IT Security and Risk Management A security leader s mission is to road-map a security strategy and drive operations to effectively and efficiently sustain business performance in dynamic and chaotic environments. This session looks at the overall risk management programs within organizations working toward that goal. Andrew Walls Gartner Research Ray Wagner Managing Vice President Gartner Research Closing Insights and a Review of Aha Moments By the end of the conference attendees, sponsors and Gartner analysts each gain new insights, so we conclude the event by sharing what we have learned, or our aha moments. Through interviews and social media, the session reveals valuable insights gathered during the week. Gartner analysts each have a few minutes to share their new insights. We then turn to the audience for an open discussion. It is a great way to crystallize ideas to take back to your team, coupled with a touch of humor to close the conference. 6 Gartner Security & Risk Management Summit 2012 June National Harbor, MD

7 CISO PROGRAM You ve got the job; now what? Being a CISO means having the big picture and articulating it clearly and compellingly to the highest levels of the organization. Evaluating enterprise risk, dealing with legal issues and comprehending the impact of a security architecture overlay are all critical criteria for success. From metrics that matter, to enterprise data protection, to articulating the business value of IT security, key topics get in-depth treatment that cover the latest tools, research and insights. The agenda includes a thoughtful mix of practical sessions, such as how to develop key competencies in a new security team, and big-picture insights, including sessions on security as a social science and the importance of trust. Featuring exclusive networking events for CISO Program attendees and plenty of opportunities to put your questions directly to the analysts, this is a rich learning environment designed to help you evaluate, run and improve your security and risk management programs. This year s CISO Program includes both foundational and advanced sessions to deliver the information you need to succeed at every stage in your career. Meet the analysts Gartner analysts draw on the real-life challenges and solutions experienced by clients from 12,000 distinct organizations worldwide. HOT TOPICS Enterprise security intelligence Business-IT security alignment Governance and policy setting Privacy regulations policy Corporate risk management Business value of information security Enterprise security strategy and architecture Creating a risk-aware culture Legal implications associated with information security Advanced analytics and operational metrics best practices F. Christian Byrnes Managing Vice President Jay Heiser Vice President Rob McMillan Paul E. Proctor Vice President and Distinguished Analyst Tom Scholtz Vice President and Distinguished Analyst Jeffrey Wheatman Through 2016, 75% of CISOs who experience publicly disclosed security breaches, and lack documented, tested response plans, will be fired Gartner Predicts Visit gartner.com/us/securityrisk for agenda updates and to register 7

8 CISO AGENDA CISO Invitational Program Features Direct interaction with analysts The latest research on top priorities for CISOs Boardroom case study presentations with leading solution providers Advanced CISO virtual track for more experienced CISOs C-level-only roundtable discussions Exclusive CISO networking events Keynotes, general sessions and a Mastermind Interview with Dell Chairman of the Board and CEO, Michael Dell Security management workshop Monday, June 11 10:00 a.m. K1a. Welcome and Opening Remarks Vic Wheatman 10:15 a.m. K1b. Opening Keynote Andrew Walls Strategic Road Maps for IT Security and Risk Management CISO The CISO 11:30 a.m. A1. Security and Risk Management as a Social Science Tom Scholtz 2:45 p.m. K2. Mastermind Interview With Michael Dell, Chairman and CEO, Dell Moderators: Neil MacDonald, Earl Perkins 5:00 p.m. A2. Security Program Management Overview F. Christian Byrnes Tuesday, June 12 8:15 a.m. A3. When Risk Management Does More Harm Than Good: RM 101 Jay Heiser 10:45 a.m. A4. Metrics That Matter Jeffrey Wheatman 2:00 p.m. A5. Security and Risk Governance: It s Much More Than Just Reporting F. Christian Byrnes, Tom Scholtz 4:30 p.m. A6a. Net IT Out: Articulating the Business Value of Information Security Tom Scholtz 4:55 p.m. A6b. Net IT Out: Developing the Key Competencies of the New Security Team Tom Scholtz 5:30 p.m. K3. Guest Keynote Cybersecurity: A View From the White House Howard Schmidt, Cybersecurity Coordinator and Special Assistant to the President (Accepted) Wednesday, June 13 8:30 a.m. A7. How to Run, Grow and Transform Your Risk and Security Program Paul E. Proctor 11:00 a.m. W1. Workshop: ITScore For Security Management F. Christian Byrnes 1:30 p.m. A9. Optimizing the Information Security Organization Jeffrey Wheatman CRO Invitational Program Features Direct interaction with analysts The latest research on top priorities for CROs Boardroom case study presentations with leading solution providers CRO roundtable discussions Exclusive CRO networking events Keynotes, general sessions and a Mastermind Interview with Dell Chairman of the Board and CEO, Michael Dell 4:00 p.m. A10. Ignore Enterprise Data Protection at Your Peril Jeffrey Wheatman 5:15 p.m. K4. Guest Keynote Information Security and Technology In General Problem Solved. You re Welcome John Hodgman, Actor, Author and Correspondent for The Daily Show Thursday, June 14 8:00 a.m. A11. Quo Vadis, CISO? Developing a Realistic Infosec Management Strategy Rob McMillan, Tom Scholtz 9:15 a.m. A12. Intelligent Information Governance 2012 Debra Logan 10:30 a.m. A13. Trust: The Elusive Final Ingredient Jay Heiser 11:45 a.m. K5. Closing Insights and a Review of Aha Moments Ray Wagner Special Agenda for Chief Risk Officer, Chief Legal Officer, Chief Compliance Officer Critical business uncertainties like reputational risks, regulatory proliferation and increasing litigation costs all require risk intelligence to support critical business decisions. The technology to support risk management and compliance is also advancing. It must be scalable to the entire enterprise and enable collaboration between multiple risk management activities, such as auditing, legal, finance, IT and compliance functions. Reporting and analytics must be on-demand in order to support business decisions and short-notice requests from regulators. Information governance, e-discovery and controls automation technologies must be in place to prevent problems in the first place, and to automate labor-intensive processes. To provide insight into critical governance, risk and compliance technologies, Gartner is pleased to offer a special agenda for senior business executives who have risk management, legal and compliance responsibilities. 8 Gartner Security & Risk Management Summit 2012 June National Harbor, MD

9 IT SECURITY Given the complexity and seriousness of today s threat environment, it s no wonder the IT Security Program includes more than 60 analyst sessions that cover everything from privacy to fraud prevention to emerging technologies, and everything in between. Our team of security analysts will be on-site to meet with attendees, present their latest research, answer questions and lead roundtable discussions focusing on today s most urgent security topics. You ll find multiple sessions that cover such rapidly evolving trends as mobile, cloud and social technologies, as well as privacy concerns, consumerization, network access control, the next generation of threats and more. The program agenda features: Eight analyst-user roundtables on such topics as privacy, application security and cloud risks Four tutorials on choosing solutions, understanding trends and more HOT TOPICS Mobile application and security Social media and security Consumerization Advanced persistent threats Cybersecurity Cloud computing security Securing the virtualized data center Critical infrastructure protection Fraud detection Endpoint security Six Technical Insights sessions that drill down on best practices in cloud, mobile and virtualization New case studies, including The World Trade Center s Situational Platform, and others on cybersecurity and creating a secure community cloud Plus, three workshops, eight just the facts Net IT Out sessions, networking events and much more Through 2016, the financial impact of cybercrime will grow 10% per year, due to the continuing discovery of new vulnerabilities Gartner Predicts Visit gartner.com/us/securityrisk for agenda updates and to register 9

10 MEET THE ANALYSTS Gartner analysts draw on the real-life challenges and solutions experienced by clients from 12,000 distinct organizations worldwide. Ant Allan Vice President Dan Blum Vice President and Distinguished Analyst Perry Carpenter Carsten Casper Anton Chuvakin Mario de Boer Joseph Feiman Vice President and Gartner Fellow Peter Firstbrook John Girard Vice President and Distinguished Analyst Steve Hawald Jay Heiser Vice President Kelly M. Kavanagh Principal Analyst Gregg Kreizman Avivah Litan Vice President and Distinguished Analyst Neil MacDonald Vice President and Gartner Fellow Eric Maiwald Vice President Rob McMillan Mark Nicolett Managing Vice President Lawrence Orans Vice President Eric Ouellet Vice President Earl Perkins Vice President John Pescatore Vice President and Distinguished Analyst Lawrence Pingree Tom Scholtz Vice President and Distinguished Analyst Doug Simmons Vice President Gartner Consulting Ray Wagner Andrew Walls Vic Wheatman Vice President Greg Young Vice President Tim Zimmerman 10 Gartner Security & Risk Management Summit 2012 June National Harbor, MD

11 it security AGENDA Monday, June 11 10:00 a.m. K1a. Welcome and Opening Remarks Vic Wheatman 10:15 a.m. K1b. Opening Keynote Strategic Road Maps for IT Security and Risk Management Andrew Walls IT SECURITY 11:30 a.m. B1. The Security State of the Cloud Jay Heiser Infrastructure Protection C1. Road Map: The Next Generation of Firewalls and IPS Greg Young D1. Protecting Your Network in the Era of BYOD Lawrence Orans Secure Business Enablement 2:45 p.m. K2. Mastermind Interview With Michael Dell, Chairman and CEO, Dell Moderators: Neil MacDonald, Earl Perkins 5:00 p.m. B2. Road Map: Operationalizing Data and Application Defenses Against Hackers and Employees Joseph Feiman Tuesday, June 12 8:15 a.m. B3. The Endpoint Protection Platform in the Age of Tablets and Clouds Peter Firstbrook 10:45 a.m. B4. Case Study: The World Trade Center s Situational Awareness Platform Lou Barani, of Security, World Trade Center; Moderator: Jeff Vining 2:00 p.m. B5. Road Map: Secure Communications With Partners and Customers Peter Firstbrook 4:30 p.m. B6a. Net IT Out: Breaking Down the Walls While Sharing Data Securely Jay Heiser 4:55 p.m. B6b. Net IT Out: The DLP Process Is More Than Just a Piece of Technology Rob McMillan C2. Big Data and Security: Integrating Security and Operations Data for Improved IT Intelligence Neil MacDonald C3. Monitoring Users for Security Intelligence: Threats and Opportunities Andrew Walls C4. Mobile Security Risks in Depth: How Safe Is the Data on Your Smartphone and Tablet? John Girard, Lawrence Pingree C5. Case Study: DoD s Approach to Security Testing Ray Letteer, Chief, Cyber Security Division of the U.S. Marine Corps C6a. Net IT Out: Technical Insights Securing Browser-Based Applications Mario de Boer C6b. Net IT Out: Road Map Gaining Control of Consumerization Lawrence Orans D2. Taking Privacy to the Next Level With a Privacy Program Carsten Casper D3. Road Map: Operationalizing Encryption Eric Ouellet D4. Technical Insights: Operationalizing PCI DSS Compliance Anton Chuvakin D5. Technical Insights: Improving Collective Defenses Through Information-Sharing and Threat Intelligence Dan Blum D6a. Net IT Out: Emerging Technologies for Privacy Protection and Privacy Management Carsten Casper D6b. Net IT Out: Job Security in Cloud Era Will Jobs Stay or Vaporize? Joseph Feiman 5:30 p.m. K3. Guest Keynote Cybersecurity: A View From the White House Howard Schmidt, Cybersecurity Coordinator and Special Assistant to the President (Accepted) Wednesday, June 13 8:30 a.m. B7. SIEM for Hybrid Technology and Services Deployments Kelly M. Kavanagh, Mark Nicolett 11:00 a.m. B8. Technical Insights: Security Monitoring for the Cloud and in the Cloud Anton Chuvakin 1:30 p.m. B9. The New Dangers of Machine to Machine (M2M) in the Enterprise Tim Zimmerman 4:00 p.m. B10. The Mobile Security Brothers Traveling Roadshow John Girard, John Pescatore C7. Technical Insights: Mobility and Security Gartner Field Research Project on Mobility and Consumerization Eric Maiwald C8. Deep Dive Into Internet Infrastructure Attacks Lawrence Orans, John Pescatore C9. Road Map: Presenting a Hard Target to Attackers: Road Maps for Effective Vulnerability Management Mark Nicolett C10. NIST s National Initiative for Cybersecurity Education (NICE): What CIOs Need to Leverage Steve Hawald D7. Operationalize Social Media to Improve Security Performance Andrew Walls W2. Workshop: ITScore for Privacy Carsten Casper E1. Higher, Faster, Stronger: The Performant IAM Program Ant Allan E2. Road Map: IAM Operations The IAM Data Model Earl Perkins E3. IAM Best Practices for Planning, Implementing and Managing IAM Within Your Enterprise Perry Carpenter E4. Layered Fraud Prevention for Land-Based and Mobile Computing Avivah Litan E5. Why Your Security Awareness Program Is Doomed (and What You Can Do to Rescue It) Perry Carpenter, Andrew Walls E6a. Net IT Out: One-Time-Password Hardware Tokens Going, Going Not Quite Gone Ant Allan E6b. Net IT Out: The Undeath of PKI Eric Ouellet E7. Q&A Session: The Identity and Access Management Marketplace Ant Allan, Perry Carpenter, Gregg Kreizman, Earl Perkins, Ray Wagner W3. Workshop: ITScore for IAM Perry Carpenter, Ray Wagner D9. Case Study: TBA E9. Managing Identity and Access in the Hybrid World Gregg Kreizman D10. Technical Insights: SaaS Security Trust Versus Technology Dan Blum 5:15 p.m. K4. Guest Keynote Information Security and Technology In General Problem Solved. You re Welcome John Hodgman, Actor, Author and Correspondent for The Daily Show Thursday, June 14 8:00 a.m. B11. How to Securely Deploy and Manage Whitelisting to Counter Advanced Threats Neil MacDonald 9:15 a.m. B12. Case Study: Toward a Secure Community Cloud for a Manufacturing Sector Doug Simmons, Gartner Consulting C11. Manage Your Security Vendors or Be Mangled Greg Young C12. Network Security Open Q&A Eric Ahlm, John Girard, Kelly M. Kavanagh, John Pescatore, Greg Young 10:30 a.m. C13. Technical Insights: Network Security Architecture for Internal Private Clouds Eric Maiwald 11:45 a.m. K5. Closing Insights and a Review of Aha Moments Ray Wagner W4. (8:00 10:00 a.m.) Workshop: Securing the Access Layer Identifying the Right Authentication Strategy for BYOD, Contractors, Guests and Employees Lawrence Orans, Tim Zimmerman D13. Developing and Implementing a Superior Mobile Device Policy John Girard E10. Socrates Was Wrong: A Debate Rob McMillan, Earl Perkins, Tom Scholtz, Andrew Walls, Vic Wheatman E11. Case Study: Securing the Digital Nation The New Frontier of Cybersecurity Training and Education Keith Gordon, Senior Vice President, Security and Fraud and Enrollments, Online and Mobile Channels, Bank of America E12. Technical Insights: Endpoint Virtualization Security Considerations Mario de Boer Visit gartner.com/us/securityrisk for agenda updates and to register 11

12 Business continuity management HOT TOPICS BCM/IT DRM program management BCM standards and organization certification Supply chain risk management The business case for BCM Failing over into the cloud Disaster recovery Continuous application availability Social software and recovery Crisis and incident management Emergency/mass notification Recovery plan exercising The business case for business continuity management has never been more convincing. Effective enterprise risk management, response, recovery and resilience are increasingly seen not only as requirements, but as potentially critical business advantages. In the BCM program, more than a dozen analyst sessions examine the latest best practices, evolving trends and the burgeoning frontiers of mobile, social and cloud-based recovery strategies. Six leading Gartner analysts specializing in BCM will be on hand to present their latest research and answer questions on everything from achieving continuous application availability to recovery in the cloud, teleworking through a disaster, crisis management and much more. The program agenda includes: Two Gartner Magic Quadrant Net IT Out sessions that cover the BCM marketplace for tools and solutions Analyst-user roundtable discussions on IT availability, social media in BCM and recovery exercising A tutorial on BCM maturity and evolution Plus workshop on BCM standards and certification and BCM-focused networking events Meet the analysts Gartner analysts draw on the real-life challenges and solutions experienced by clients from 12,000 distinct organizations worldwide Leif Eriksen John Girard Vice President and Distinguished Analyst John P. Morency Vice President Donna Scott Vice President and Distinguished Analyst Jeff Vining Vice President Roberta J. Witty Vice President 12 Gartner Security & Risk Management Summit 2012 June National Harbor, MD

13 BCM AGENDA Monday, June 11 10:00 a.m. K1a. Welcome and Opening Remarks Vic Wheatman 10:15 a.m. K1b. Opening Keynote Strategic Road Maps for IT Security and Risk Management Andrew Walls BCM Business Continuity Management 11:30 a.m. F1. How Real-World Disasters Are Improving Business Resilience: Lessons Learned Since 9/11 John P. Morency, Roberta J. Witty 2:45 p.m. Mastermind Interview With Michael Dell, Chairman and CEO, Dell Moderators: Neil MacDonald, Earl Perkins 5:00 p.m. F2. Case Study: Intel s Response to the Fukushima Earthquake/Tsunami Jeff Selvala,, Assembly Test Global Materials, Intel; Roberta J. Witty Tuesday, June 12 8:15 a.m. F3. Case Study: Teleworking Through a Disaster John Girard, Roberta J. Witty 10:45 a.m. F4. Case Study: Demographics An Unknown BCM Risk Steve Hannah, Manager, Disaster Recovery, Waddell & Reed 2:00 p.m. F5. Crisis/Incident Management Overview Leif Eriksen, Roberta J. Witty 4:30 p.m. F6a. (4:30 p.m.) and F6b. (4:55 p.m.) Net IT Out: Business Continuity Management Planning Markets and Magic Quadrants Leif Eriksen, John Girard, John P. Morency, Roberta J. Witty 5:30 p.m. K3. Guest Keynote Cybersecurity: A View From the White House Howard Schmidt, Cybersecurity Coordinator and Special Assistant to the President (Accepted) Wednesday, June 13 8:30 a.m. F7. Strategies for Achieving Continuous Application Availability Donna Scott 11:00 a.m. F8. Can I Recover Through the Cloud? John P. Morency, Sheila Childs 1:30 p.m. F9. Best Practices in Recovery Exercising John P. Morency 4:00 p.m. F10. Panel: Educating Boards of s and Management in the Business Case for BCM Moderator: Roberta J. Witty 5:15 p.m. K4. Guest Keynote Information Security and Technology In General Problem Solved. You re Welcome John Hodgman, Actor, Author and Correspondent for The Daily Show Thursday, June 14 8:00 a.m. W5. (8:00 11:30 a.m.) Workshop: Implementing BCM Standards for BCM Maturity and Organizational Certification John P. Morency, Roberta J. Witty 11:45 a.m. K5. Closing Insights and a Review of Aha Moments Ray Wagner By 2015, 30% of midsize businesses will adopt recovery-in-the-cloud services to support IT operations recovery Gartner Predicts New Business Continuity Management program features for 2012 Learn the latest best practices, evolving trends and the burgeoning frontiers of mobile, social and cloud-based recovery strategies in a program dedicated to your BCM needs. Features include: 10 BCM-focused analyst sessions Two Gartner Magic Quadrant Net IT Out sessions covering the BCM marketplace for tools and solutions Six BCM-focused Gartner analysts available for private one-on-one meetings Analyst-user roundtable discussions on IT availability, social media in BCM and recovery exercising A tutorial on BCM maturity and evolution A workshop on BCM standards and certification and BCM-focused networking events By 2014, almost half of organizations will have integrated public social media services with their crisis communication strategies Gartner Predicts Visit gartner.com/us/securityrisk for agenda updates and to register 13

14 RISK MANAGEMENT and Compliance HOT TOPICS Enterprise and IT risk management effectiveness Risk-adjusted value management Creating key risk indicators Legal and regulatory info governance E-discovery Supporting the chief legal officer Social risk management Reporting on risk management initiatives to the board Managing risk and compliance issues with big data Cloud risks A major shift is under way, in which senior business leaders and boards of directors begin to recognize enterprise risk management as more than a compliance-driven cost. Today s risk management executives are using enterprise risk management strategies to minimize business risk, support next-generation business needs and improve business performance. The Risk Management and Compliance Program focuses on strategic issues in risk management and adds additional emphasis on legal and regulatory risks, including: How to better communicate the benefits and objectives of the risk management program to the board and senior business leaders Key trends such as growing concerns around privacy and data protection New anti-fraud and anti-corruption legislation Mobility, cloud computing and their impacts on security and risk Legal and regulatory governance strategies Meet the analysts Gartner analysts draw on the real-life challenges and solutions experienced by clients from 12,000 distinct organizations worldwide French Caldwell Vice President and Gartner Fellow Sheila Childs Managing Vice President Hiranya Fernando Senior Analyst Andrew Frank Vice President By 2016, enterprises that combine BPM and ERM will achieve higherperformance business results than those that employ them separately Gartner Predicts Ian Glazer Khushbu Pratap Senior Analyst Jeffrey Wheatman Debra Logan Vice President and Distinguished Analyst Paul E. Proctor Vice President and Distinguished Analyst John A. Wheeler 14 Gartner Security & Risk Management Summit 2012 June National Harbor, MD

15 Risk AGENDA Monday, June 11 10:00 a.m. K1a. Welcome and Opening Remarks Vic Wheatman 10:15 a.m. K1b. Opening Keynote Strategic Road Maps for IT Security and Risk Management Andrew Walls RISK AND COMPLIANCE Enterprise and Operational Risk Management Managing Legal and Compliance Risk 11:30 a.m. G1. Road Map: Privacy, Marketing and Behavior Tracking A Risky Mandate H1. Lawyers, Users and IT Security: Ten Ways to Work Together to Reduce Andrew Frank Risk and Improve Governance Debra Logan, Jeffrey Wheatman 2:45 p.m. Mastermind Interview With Michael Dell, Chairman and CEO, Dell Moderators: Neil MacDonald, Earl Perkins 5:00 p.m. G2. The Missing Link: How Ignoring Business Processes Can Be Fatal for ERM John A. Wheeler H2. The Corporate Ethics Game Show: Let s Make a Deal or Jeopardy!? Joseph E. Schmitz, former DoD IG; John Bace, John Marshall Law School Tuesday, June 12 8:15 a.m. G3. General Session Untangling the Multimillion-Dollar Madoff Ponzi Scheme David J. Sheehan, Partner, Baker Hostetler; Lew Schwartz, Senior Vice President, General Counsel and Corporate Secretary, Gartner 10:45 a.m. G4. Seven Keys to Successful and Cost-Effective Risk Oversight H4. Lawyers, Users and IT: The Intersection of Law and Technology in 2012 John A. Wheeler Part 1. View From the Bench Debra Logan, Lew Schwartz, Judges Panel 2:00 p.m. G5. Global Supply Chain Risk: Perception and Management Hiranya Fernando H5. Lawyers, Users and IT: The Intersection of Law and Technology in 2012 Part 2. View From the Practitioners Debra Logan, Lew Schwartz, Outside Panel 4:30 p.m. G6a. Net IT Out: The Realities of Cyberinsurance John A. Wheeler H6a. Net IT Out: Compliance Controls When Are Yours Too Old? Khushbu Pratap 4:55 p.m. G6b. Net IT Out: Selecting IT Risk Assessment Methods and Tools A Use Case Approach Paul E. Proctor H6b. Net IT Out: SAS 70 Is Gone So What Are the Alternatives? French Caldwell 5:30 p.m. K3. Guest Keynote Cybersecurity: A View From the White House Howard Schmidt, Cybersecurity Coordinator and Special Assistant to the President (Accepted) Wednesday, June 13 8:30 a.m. G7. General Session Enterprise and Operational Risk Management: s Roundtable What the Board Wants French Caldwell, Dale Kutnick, Panelists 11:00 a.m. G8. Risk-Adjusted Value Management Paul E. Proctor H8. Internal Auditors: Why They Do What They Do Khushbu Pratap 1:30 p.m. G9. Technical Insights: Road Map Managing Multinational Privacy Risks in H9. Improving Your Social Risk IQ French Caldwell the Cloud Ian Glazer 4:00 p.m. G10. Six CIO Risk Techniques to Please Your Board French Caldwell H10. Managing Litigation and Regulatory Risks of Big Data Sheila Childs 5:15 p.m. K4. Guest Keynote Information Security and Technology In General Problem Solved. You re Welcome John Hodgman, Actor, Author and Correspondent for The Daily Show Thursday, June 14 8:00 a.m. W6. Workshop: Policy Critique Jay Heiser W7. Workshop: Implementing COBIT 5 Robert Stroud, ISACA S Strategic Advisory Council 9:15 a.m. W8. (9:15 11:30 a.m.) Workshop: Creating Key Risk Indicators for Your Company Paul E. Proctor H11. New Legal Methods for Collecting Cyberinvestigation and Social Media Evidence Benjamin Wright, SANS Institute 10:30 a.m. H12. Road Map: Intelligent Information Governance 2012 Debra Logan 11:45 a.m. K5. Closing Insights and a Review of Aha Moments Ray Wagner New Risk and Compliance program features for 2012 Divided into two tracks Enterprise and Operational Risk Management, and Managing Legal and Compliance Risk the Risk Management and Compliance program offers: 25 in-depth sessions and two general sessions CRO Invitational Program Three workshops, two Road Map sessions, four Net IT Out sessions, and one Technical Insights session Two analyst-user roundtables focused on risk management and compliance 10 on-site Gartner analysts focused on risk management and compliance, available for private one-on-one meetings Special risk-management-and-compliance networking opportunities Visit gartner.com/us/securityrisk for agenda updates and to register 15

16 NEW! The Business of IT Security and Risk Meet the analysts Eric Ahlm Ruggero Contu Principal Analyst Joseph Feiman Vice President and Gartner Fellow Peter Firstbrook Ramon Krikken Lawrence Pingree John Rizzuto Vice President and Invest Analyst Greg Young Vice President Mobility, cloud and social technologies have transformed IT, posing a stupefying array of new security threats and engendering an equally overwhelming number of new security and risk management options. In a climate of volatile change, how do you know you are making the right security and risk management investments? New this year, The Business of IT Security and Risk program examines today s dynamic marketplace, the current landscape of market leaders and upstart innovators, as well as how the scenery is likely to change. We take an investor s financial and strategic view of the market, based on the evaluations of our analysts, the financial community and the media. Will your current partners see you through into the mobile, social, cloud-based future? Where will the leading innovations come from? Where should you put your money? Featuring 10 sessions with leading analysts, investors, journalists and bloggers, this unique program provides extremely important information for CISOs and others investing in security and risk solutions. Monday, June 11 10:00 a.m. K1a. Welcome and Opening Remarks Vic Wheatman 10:15 a.m. K1b. Opening Keynote Strategic Road Maps for IT Security and Risk Management Andrew Walls NEW! Business The Business of IT Security and Risk 11:30 a.m. J1. Security Markets Worldwide 2012 Eric Ahlm, Ruggero Contu 2:45 p.m. Mastermind Interview With Michael Dell, Chairman and CEO, Dell Moderators: Neil MacDonald, Earl Perkins 5:00 p.m. J2. IT Security Survey: Study Results and Trends Analysis Ruggero Contu, Lawrence Pingree Tuesday, June 12 8:15 a.m. J3. Technical Insights: The Art of Saying Yes Selling Application Security to Architects and Developers Ramon Krikken 10:45 a.m. J4. SWOT Analysis: IBM and HP Application and Data Security Joseph Feiman 2:00 p.m. J5. Security Investors Perspectives Panel Alberto Yepez, Trident Capital Group; Walter Pritchard, Citi Investment Research; John Rizzuto, Gartner Investment; Moderator: Vic Wheatman 4:30 p.m. J6. Security Market Gartner Magic Quadrant Overview Greg Young 5:30 p.m. K3. Guest Keynote Cybersecurity: A View From the White House Howard Schmidt, Cybersecurity Coordinator and Special Assistant to the President (Accepted) Wednesday, June 13 8:30 a.m. J7. Security Journalists and Bloggers Panel Moderator: Greg Young 11:00 a.m. J8. SWOT Analysis: McAfee, Symantec, Cisco Eric Ahlm, Ruggero Contu, Peter Firstbrook 1:30 p.m. J9. Security 2020: Technology, Business and Threat Discontinuities Reshaping IT Security Neil MacDonald, Lawrence Pingree 4:00 p.m. J10. Case Study: Increasing Collaboration Securely When Moving to Cloud-Based Apps Joe Fuller, Dominion Enterprises 5:15 p.m. K4. Guest Keynote Information Security and Technology In General Problem Solved. You re Welcome John Hodgman, Actor, Author and Correspondent for The Daily Show Thursday, June 14 11:45 a.m. K5. Closing Insights and a Review of Aha Moments Ray Wagner HOT TOPICS I nformation security forecasts worldwide Market shares in the infosec domain User wants-and-needs survey results Strengths, weaknesses, opportunities and threat (SWOT) evaluations on leading IT security and risk vendors Gartner Magic Quadrant trends Investors perspectives panel 16 Gartner Security & Risk Management Summit 2012 June National Harbor, MD

17 SESSION DESCRIPTIONS CISO Program TRACK A The CISO A1. Security and Risk Management as a Social Science As technical security controls are increasingly integrated into the infrastructure fabric, CISOs focuses will continue to shift toward the behaviors, attitudes and cultures of stakeholders. This presentation highlights how this will impact security leaders, and which actions they should take. Tom Scholtz A2. Security Program Management Overview Security programs have evolved and continue to mature. This session describes the maturity level characteristics of current information security programs and reviews the Gartner ITScore survey results. F. Christian Byrnes A3. When Risk Management Does More Harm Than Good: RM 101 Risk used to be like the weather everybody talked about it, but few did anything about it. While the weather still remains unpredictable, business demands a more predictable approach to IT-related risks. This session helps the new risk manager understand the basic principles of risk management. Jay Heiser A4. Metrics That Matter Enterprises still continue to create and report on security metrics that have no context and that nobody cares about. The effective metrics program highlights a few key measures with reasonable achievable targets that drive continuous improvement. Jeffrey Wheatman A5. Security and Risk Governance: It s Much More Than Just Reporting Effective governance provides accountability, responsibility, authority and assurance. Security and risk governance consists of processes and activities executed and overseen by governance bodies. Their success depends on the effectiveness of the groups tasked with executing them. F. Christian Byrnes, Tom Scholtz A6a. Net IT Out: Articulating the Business Value of Information Security While security budgets held up comparatively well during the recession, organizations are shifting their focuses from survival back to growth mode. This requires investment of (still-limited) financial resources into innovation and growth projects, resulting in increasing pressure on security budgets. Tom Scholtz A6b. Net IT Out: Developing the Key Competencies of the New Security Team As the information security discipline matures, the security-related skills and knowledge of a chief information security officer and his or her teams are taken for granted. However, security professionals who expect to thrive in a dynamic business environment need to continually learn new skills. Tom Scholtz A7. How to Run, Grow and Transform Your Risk and Security Program Creating and formalizing a security and risk program is inexpensive, but developing a mature program requires high-level support, a strategic approach and proper time to execute. Modern enterprises must also align with business needs and address cultural gaps with the non-it parts of the business. Paul E. Proctor A9. Optimizing the Information Security Organization Stop worrying about where the CISO reports, and think about how security meets your clients needs. Governance, accountability and responsibility can t be fixed by moving head count. Here, we discuss how organizational changes may or may not impact your information security program s success. Jeffrey Wheatman A10. Ignore Enterprise Data Protection at Your Peril Clients are missing the big picture when they protect data in technology silos without garnering a clear understanding of the value and risk associated with that data. This session analyzes the real drivers for data protection and provides a survey of some of the available tools to address the problem. Jeffrey Wheatman Visit gartner.com/us/securityrisk for agenda updates and to register A11. Quo Vadis, CISO? Developing a Realistic Infosec Management Strategy If you aim at nothing, you will hit it. A realistic strategy is a key component of any information security program. Developing and maintaining a strategy in dynamic-threat, technology and business environments is indeed challenging. Rob McMillan, Tom Scholtz A12. Intelligent Information Governance 2012 We seem to have too much information, but not enough of the right kind. Information governance is technically complex, organizationally challenging and politically sensitive. In this session you gain best practices and lessons learned from early adopters of information governance programs. Debra Logan A13. Trust: The Elusive Final Ingredient Substantive external sharing only happens when everyone is confident that no harm will be caused. Trust conditions must be enabled before partners access information. Architects must understand social trust mechanisms, enabling external collaboration through the use of data protection technology. Jay Heiser WORKSHOPS W1. Workshop: ITScore for Security Management Workshop Balanced scorecards provide security teams with critical tools to demonstrate value by identifying and leveraging security s benefits across multiple business domains. This workshop discusses the building blocks for balanced scorecards for information security and how clients can avoid the hurdles. F. Christian Byrnes Analyst-User Roundtable AUR15. Secure Web Gateways This session is restricted to attendees with a CISO or equivalent tile, or other C-level or senior management role related to information security. This is a discussion session. F. Christian Byrnes 17

18 SESSION DESCRIPTIONS IT SECURITY TRACK B Infrastructure Protection B1. The Security State of the Cloud Where does the world stand on cloud computing risks? This presentation provides an overview of the technical and process mechanisms that can be applied to help reduce the risks of cloud computing. Jay Heiser B2. Road Map: Operationalizing Data and Application Defenses Against Hackers and Employees As attacks become more motivated by money, and as enterprises get better at securing the infrastructure, there s been a shift to application attacks. Now it is not just hackers but also employees that create serious threats. Addressing new risks, new application and data security market spaces have emerged. Joseph Feiman B3. The Endpoint Protection Platform in the Age of Tablets and Clouds Tests show that current endpoint protection platforms (EPP) do not provide full protection from mass-propagated or targeted attacks. In addition, security teams are grappling with the diversification of the traditional endpoint. Here we compare current and future EPP requirements. Peter Firstbrook B4. Case Study: The World Trade Center s Situational Awareness Platform The security director of the iconic World Trade Center describes best practices, lessons learned and technologies deployed while implementing a situational awareness platform to monitor events and identities in real-time using an integrated command center for correlating data and imagery. Lou Barani, of Security, World Trade Center; Moderator: Jeff Vining B5. Road Map: Secure Communications With Partners and Customers Regulations and data theft are increasing the focus on protecting intellectual property and sensitive information. The most common data exchange solution for most companies is . Organizations struggle with securing communications to partners, customers and contractors. Peter Firstbrook B6a. Net IT Out: Breaking Down the Walls While Sharing Data Securely Organizations need to permit employees of other companies to have access to sensitive information. But multienterprise collaboration can t be secured by traditional means. Learn how flexible and affordable trust technologies and services are being used to securely share data among enterprises. Jay Heiser B6b. Net IT Out: The DLP Process Is More Than Just a Piece of Technology Data loss prevention continues to be a hot topic, and clients continue to face the challenge of seeing beyond the technology to derive value. The key to this is understanding that you need to implement a DLP process, and not just the tool. What does this mean? What are the pitfalls? Rob McMillan B7. SIEM for Hybrid Technology and Services Deployments We get many client calls about options for using SIEM service providers. Hybrid deployments of technology and services address activities from planning to operations and cover monitoring from corporate data centers to cloud services providers. Here we address use cases supported with SIEM services. Kelly M. Kavanagh, Mark Nicolett B8. Technical Insights: Security Monitoring for the Cloud and in the Cloud This presentation is about security monitoring for cloud environments as well as about using the cloud-delivered tools for monitoring traditional on-premises IT environments. Do we have to use the cloud to monitor the cloud? What traditional approaches will work? Anton Chuvakin B9. The New Dangers of Machine to Machine (M2M) in the Enterprise By 2015 there will be more M2M devices than laptops or tablets. This presentation examines how these devices communicate, authenticate and access resources across the infrastructure and introduce new security dangers to the enterprise. Tim Zimmerman B10. The Mobile Security Brothers Traveling Roadshow Repeating and updating this popular and fun session, the brothers explore critical issues in the rapidly changing world of mobile and wireless computing but within an audience-interactive game show format with valuable prizes! John Girard, John Pescatore B11. How to Securely Deploy and Manage Whitelisting to Counter Advanced Threats Here we explore extending a whitelisting paradigm from servers to all endpoints using best-practice techniques such as trusted change, IT operations integration and systematic workload reprovisioning of servers and desktops to pull the rug out from under advanced persistent threats. Neil MacDonald B12. Case Study: Toward a Secure Community Cloud for a Manufacturing Sector This case study looks at an industry-specific, secure community cloud environment designed to improve collaboration. We identify the key components and necessary safeguards for tactical and strategic deployment, and project when vendors will support the emerging community cloud concept. Doug Simmons, Gartner Consulting IT SECURITY TRACK C Infrastructure Protection C1. Road Map: The Next Generation of Firewalls and IPS Threats continue to advance, and network security defenses must evolve to become effective against advanced targeted threats. Enterprises should require vendors to add next-generation intrusion prevention features to network security products. Greg Young 18 Gartner Security & Risk Management Summit 2012 June National Harbor, MD

19 C2. Big Data and Security: Integrating Security and Operations Data for Improved IT Intelligence IT infrastructures have become increasingly virtualized and complex, with workload mobility in conjunction with the cloud becoming the norm. This presentation provides a framework for using big data to deliver actionable insight and intelligence for security and operations from a sea of data. Neil MacDonald C3. Monitoring Users for Security Intelligence: Threats and Opportunities Monitoring the communications of employees (and others), on both internal and external systems, is critical to security intelligence and situational awareness. While leveraging this data to improve security, we must also defend against unfriendly monitoring and data discovery that could be damaging. Andrew Walls C4. Mobile Security Risks in Depth: How Safe Is the Data on Your Smartphone and Tablet? Loss and data exposure are the primary risks organizations face with mobile devices. Using off-the-shelf forensic tools to analyze typical mobile devices, we demonstrate how data is exposed and unintentionally propagated. The analysts then recommend best-practice defenses. John Girard, Lawrence Pingree C5. Case Study: DoD s Approach to Security Testing Ray Letteer, Chief, Cyber Security Division of the U.S. Marine Corps C6a. Net IT Out: Technical Insights Securing Browser-Based Applications Applications running in Web browsers may be implemented in HTML4, HTML5 and JavaScript, or they may use Java, Silverlight, Flash or other platforms. This session discusses the client-side risks of running applications in Web browsers, and covers the strengths and weaknesses of the various protections. Mario de Boer C6b. Net IT Out: Road Map Gaining Control of Consumerization Consumerization is here and IT struggles to keep up. End users have embraced tablets, smartphones, VoIP and Dropbox, giving little thought to security. Reclaim control to create a secure consumerized environment by implementing new technologies and developing reasonable policies and controls. Lawrence Orans C7. Technical Insights: Mobility and Security Gartner Field Research on Mobility and Consumerization Gartner field research identified security issues that arise when introducing consumer devices into the enterprise. We also identified solutions as enterprises deal with the problems. This session presents the results, regarding governance, technical security and management solutions. Eric Maiwald C8. Deep Dive Into Internet Infrastructure Attacks Cracks appear in the Internet s infrastructure. DDoS attacks have increased in intensity and frequency. Attacks on certificate authorities expose SSL s fragility. Attacks on the DNS infrastructure can cause large-scale fraud and disrupt trust. We analyze recent attacks and identify solutions. Lawrence Orans, John Pescatore C9. Presenting a Hard Target to Attackers: Road Maps for Effective Vulnerability Management Attackers are improving their ability to find and exploit security weaknesses. The first order of business is to present a hard target. This requires IT security organizations to run operationally effective vulnerability management across multiple cooperating IT operations and application support teams. Mark Nicolett C10. NIST s National Initiative for Cybersecurity Education (NICE): What CIOs Need to Leverage NIST s new cyberframework, the NICE program, defines 31 cybersecurity skill specialty areas in today s security workforce. This session addresses how CIOs and CISOs can leverage the framework s best practices to save time and money in future IT cyberworkforce planning and development. Steve Hawald C11. Manage Your Security Vendors or Be Mangled This session presents best practices for deciphering and assessing proposals for security equipment and offerings, as well as the associated discounts you should receive. And what about all your security spending Is there a way to manage it as a portfolio? Greg Young C12. Network Security Open Q&A Have a network security problem or issue? Wondering about the next-generation thingie, appliance or as a service service? What is coming in network security? How can organizations provide a strong security when the perimeter is essentially porous? Does network security have a future, or does the data, application and infrastructure need hardening? Bring your questions to this open forum with top Gartner network security analysts. Eric Ahlm, John Girard, Kelly M. Kavanagh, John Pescatore, Greg Young C13. Technical Insights: Network Security Architecture for Internal Private Clouds Private clouds change the data center world. It is no longer easy to know which application is running on which server. This leads to concerns about how to efficiently move, monitor and control traffic between virtual machines. Enterprises need to rethink network security architecture options. Eric Maiwald IT SECURITY TRACK D Secure Business Enablement D1. Protecting Your Network in the Era of BYOD Network access control (NAC) burst on the scene in 2003 as the answer to Sasser, Blaster and the worm era. It was derided as an overhyped concept. Now that bring your own device (BYOD) has emerged as an unstoppable trend, NAC is back in favor again this time as a solution for gaining back control of the network. Lawrence Orans Visit gartner.com/us/securityrisk for agenda updates and to register 19

20 SESSION DESCRIPTIONS D2. Taking Privacy to the Next Level With a Privacy Program Leading enterprises avoid piecemeal, costly and risky approaches to privacy by combining governance, policy, education and incident response aligned with application development, security and risk management for world-class privacy programs. Learn about privacy by design. Carsten Casper D3. Road Map: Operationalizing Encryption Encryption benefits security postures. But without adequately understanding resources, controls and risk mitigation, the ultimate benefit may be no better than before encryption. Here we look at the major categories of data, devices and service considerations when maximizing encryption s value. Eric Ouellet D4. Technical Insights: Operationalizing PCI DSS Compliance Here we discuss how to make compliance with the Payment Card Industry Data Security Standard (PCI DSS) an ongoing effort that is tied to security management, operations and other units. We present guidance on how to remain compliant despite changes in environments. Anton Chuvakin D5. Technical Insights: Improving Collective Defenses Through Information- Sharing and Threat Intelligence When it comes to getting infected, cyberattacked, or having vulnerabilities, no organization remains untouched. Thousands of security companies build security tools and services, research malware, probe vulnerabilities and try to help organizations with defense or response, but they struggle to connect the dots. Dan Blum D6a. Net IT Out: Emerging Technologies for Privacy Protection and Privacy Management Do you need to share data while preserving privacy? To use public clouds or consolidate global data centers while being compliant with privacy laws? To respond to breaches? To monitor changes in privacy regulations? This session helps you understand the usefulness of various emerging technologies. Carsten Casper D6b. Net IT Out: Job Security in Cloud Era Will Jobs Stay or Vaporize? Cloud is a transformational phenomenon that changes our businesses and our IT organizations. Will cloud transform IT workforce? Will it threaten job security? Joseph Feiman D7. Operationalize Social Media to Improve Security Performance Business is moving past the experimental stage and is actively developing new ways to maximize profits through social media. It is time for security to do the same and use social media to improve security. This presentation explores the opportunities for security improvement through social media. Andrew Walls D9. Case Study TBA D10. Technical Insights: SaaS Security Trust Versus Technology Enterprises would love to commoditize by cutting costs through outsourcing. However, it is a primary channel, carrying sensitive and proprietary content that needs protection. Much intellectual property resides in databases. Outsourcing to a SaaS provider raises a number of critical questions. Dan Blum D13. Developing and Implementing a Superior Mobile Device Policy Mobile devices, particularly consumer-level products, have trampled over the well-crafted policies that companies put in place for trusted work systems. Businesses must adapt and do so quickly, and they must learn to prioritize the basic configuration and security policies that they will need to preserve. John Girard IT SECURITY IT SECURITY TRACK e Secure Business Enablement E1. Higher, Faster, Stronger: The Performant IAM Program Every enterprise has to manage workforce, partner and customer identities and the access they get. Not all enterprises are tackling IAM initiatives to maximize IAM value to the business through enhanced security and risk management, improved operations or better business outcomes. Ant Allan E2. Road Map: IAM Operations The IAM Data Model Great IAM operations don t just happen. They re built on solid infrastructure foundations that include high-fidelity identity data stored and used in a structured manner to deliver access and other identity-based services. This presentation describes this operational infrastructure foundation. Earl Perkins E3. IAM Best Practices for Planning, Implementing and Managing IAM Within Your Enterprise When it comes to good practices, IAM programs generate information about what to do and what not to do from planning and design, to product/service choices, deployment and operations. This session explores lessons learned when IAM solutions have addressed both business and technical requirements. Perry Carpenter E4. Layered Fraud Prevention for Land-Based and Mobile Computing This presentation proposes five layers for fraud prevention and sets priorities for managing immediate threats, such as malware-based cyberattacks, within a framework of fraud management. What are the five layers for fraud prevention? Avivah Litan 20 Gartner Security & Risk Management Summit 2012 June National Harbor, MD

21 E5. Why Your Security Awareness Program Is Doomed (and What You Can Do to Rescue It) If your awareness program was designed by a guy with pocket protectors, a fresh CISSP and a highlighted NIST 800 series, then you can guarantee that it is obsolete. New approaches draw on advertising, marketing, social engineering and practical magic to build a new context for security awareness. Perry Carpenter, Andrew Walls E6a. Net IT Out: One-Time-Password Hardware Tokens Going, Going Not Quite Gone One-time password (OTP) hardware tokens have been a staple user authentication method for more than 25 years, but they are increasingly losing out to alternative methods in new and refreshed implementations. This session explores this trend and whether the demise of hardware tokens is inevitable. Ant Allan E6b. Net IT Out: The Undeath of PKI Once at the Peak of Inflated Expectations, then as a technology in search of a problem in the Trough of Disillusionment, PKI has emerged onto the Plateau of Productivity in a variety of styles including Public Key Operations and key management, addressing very real problems. PKI Lives! Is PKI still relevant in 2012? Eric Ouellet E7. Q&A Session: The Identity and Access Management Marketplace This open session has no preplanned agenda, no PowerPoint and no pretensions. It s a venue where audience members can try to stump the analysts or more appropriately raise issues and concerns they face while implementing and operating IAM systems. Ant Allan, Perry Carpenter, Gregg Kreizman, Earl Perkins, Ray Wagner E9. Managing Identity and Access in the Hybrid World Unless you have the luxury of starting with a greenfield for IAM, you must manage identity in an increasingly hybrid world in which on-premises legacy infrastructures are extended or replaced to support SaaS and mobile endpoints that create new identity islands, complexity and security vulnerabilities. Gregg Kreizman E10. Socrates Was Wrong: A Debate This analyst debate examines human nature in the context of information security and proper behavior. One side says that people will always try to do the right thing. The other side says people aren t that nice and will always do what they can get away with especially if no one is looking. Rob McMillan, Earl Perkins, Tom Scholtz, Andrew Walls, Vic Wheatman E11. Case Study: Securing the Digital Nation The New Frontier of Cybersecurity Training and Education In 2011, the U.S. Secret Service Electronic Crimes Task Forces arrested 1,200 cyberthieves, responsible for the loss of almost $500 million. Last year, the Obama administration released a road map for creating a U.S. cybersecurity workforce. As innovation and interconnectivity in the online and mobile space advances, it is essential for businesses to have an active threat intelligence management process and industrywide knowledge that helps to avoid security risks with planning and layered controls. Keith Gordon will discuss the importance of having a long-term cybersecurity strategy and a short-term remediation plan across all industries. Keith Gordon, Senior Vice President, Security, Fraud and Enrollments, Online and Mobile Channels, Bank of America E12. Technical Insights: Endpoint Virtualization Security Considerations Increased mobility and endpoint choices have led organizations to desktop strategies that deploy applications to people, not devices. Endpoint virtualization not only prevents information sprawl but also introduces new risks. Here we focus on the security of various endpoint virtualization technologies. Mario de Boer TUTORIALS T1. FedRAMP Focus: Government Strategies for Secure Use of Cloud Governments worldwide are evaluating cloud-based services to improve services while saving. FedRAMP is a U.S. government process for rapidly certifying the security of such services. Will this program be successful, and if so, how will corporations address their concerns when it comes to cloud services? John Pescatore T2. Best Practices for Owning Your Airwaves to Provide Security, Maximize Performance and Mitigate Interference Enterprises are looking at a tsunami of wireless devices and technologies, from Bluetooth 3.0 to n to LTE and cellular. This presentation looks at each, along with usage scenarios to provide a framework for a best practices policy. Tim Zimmerman T3. Top Security Trends and Take-Aways for 2012 and 2013 With continuing trends in cloud, consumerization, mobility and the next big thing, the way IT is delivered is changing. Each brings new threats and breaks old security processes. Here we review the top security hot topics to map the trends. Ray Wagner T4. IAM RFP: Choosing the Best Solutions for Your Business One of the most frequently asked questions by Gartner clients is whether there are sample requests for proposal (RFPs) for IAM products and services available to use as a starting point in their efforts. This tutorial explores a basic template for different IAM technologies to aid planning. Earl Perkins WORKSHOPS W2. Workshop: ITScore for Privacy Privacy gets ever more complex. How do organizations know they are doing enough? How do they know they are not doing too much? Measuring privacy is an emerging discipline. In this workshop, we introduce the Gartner ITScore assessment for privacy. Bring your laptop to run your own assessment. Carsten Casper Visit gartner.com/us/securityrisk for agenda updates and to register 21

22 SESSION DESCRIPTIONS W3. Workshop: ITScore for IAM IAM leaders use this Gartner assessment to evaluate their IAM efforts against key maturity indicators. This helps determine which aspects of a maturity level are most important and how to advance. Immature programs are likely to be inefficient, ineffective and unable to deliver full business value. Perry Carpenter, Ray Wagner W4. Workshop: Securing the Access Layer Identifying the Right Authentication Strategy for BYOD, Contractors, Guests and Employees Network access requires changes to manage mobility and new devices. Understanding usage, devices and risk profiles are first steps. This workshop helps build a strategy by outlining option s associated with authentication to corporate, guest access or limited access networks. Lawrence Orans, Tim Zimmerman ANALYST-USER ROUNDTABLES AUR1. Where Did I Leave My Privacy? With mobile technologies and widespread surveillance, losing your privacy is easier than ever. Share lessons learned on location privacy with other participants. Ian Glazer AUR2. Application Security Concerns Packaged and custom-developed applications often have vulnerabilities. Finding and mitigating weaknesses consumes time, effort, energy and money. Here security professionals, application developers and others discuss the risky business of relying on applications with potentially hidden problems. Neil MacDonald AUR3. Content-Aware DLP for Organizations on the Move Data loss prevention has received attention as a way of keeping sensitive information from leaking from an organization, but implementation has been more difficult than estimated. This is particularly true as mobility is introduced. Peers discuss their experiences in this facilitated roundtable. Eric Ouellet AUR4. Lessons Learned From Securing My Home Network Share your war stories with other attendees about how you have secured your home network. Come prepared to whiteboard your design and discuss your favorite products and solutions. Who knows, you may even learn something that you can apply in your corporate network! Lawrence Orans AUR5. DMZ Design Dynamic trends such as virtualization, Web services, XML firewalls and access to new mashups can open perimeter holes. The definition of the DMZ has changed. This group of peers discuss design challenges and current thinking of how DMZs will be architected in the future. Greg Young AUR9. Security in Healthcare HIPAA has been around for over a decade, yet healthcare providers still wrestle with the need for protecting patient data. Further, there are concerns that medical devices may be vulnerable to attack. Those involved speak to their experiences and concerns. Mark Nicolett, Paul E. Proctor AUR10. Security in the Public Sector Federal, State and Local governments face resource constraints, unfunded mandates, and pressures from constituents for safe and secure access to sensitive data. What are security and risk professionals doing to cope with this environment? Gregg Kreizman, John Pescatore AUR11. Application Security Testing Complex software security testing can be challenging as every SAST, DAST and IAST vendor purports to cover the OWASP top 10, and claim their products are more accurate and easier to use than others. In this facilitated session, we look at which tools are strong and weak, and how they are best used. Ramon Krikken AUR12. Security in Utilities and Energy As part of the critical infrastructure, utilities and energy companies have unique responsibilities. Enterprise security for business systems is as important to these entities as it is to any, but there are special requirements associated with SCADA networks and other parts of operational technologies used that need a specific focus. Here industry peers share their perspectives and findings. Earl Perkins AUR17. Outsourcing Security Organizations often outsource security functions to managed security service providers and other outsourcers. How far can they go in handing off critical defensive mechanisms, and which should they maintain in house? Join a group of peers in addressing this ongoing question. Kelly M. Kavanagh AUR18. Dealing With Cloud Risks As new audit standards go into effect, it s harder than ever to know whether cloud vendors have adequate controls. Learn from fellow participants what their best practices are for managing cloud risks. Jay Heiser BCM TRACK F Business Continuity Management F1. How Real-World Disasters Are Improving Business Resilience: Lessons Learned Since 9/11 Earthquake in Japan, Australian flooding, tornadoes and other major disasters remind us that closing our eyes and clicking our heels will not bring a return to normalcy. How can lessons learned across the broad range of business delivery services improve your BCM program? John P. Morency, Roberta J. Witty F2. Case Study: Intel s Response to the Fukushima Earthquake/Tsunami Intel discusses the impact of the March 2011 Fukushima earthquake/tsunami on its supply chain operations and the resulting changes to their business and IT systems that will make them more resilient in the future. Jeff Selvala,, Assembly Test Global Materials, Intel; Roberta J. Witty 22 Gartner Security & Risk Management Summit 2012 June National Harbor, MD

23 F3. Case Study: Teleworking Through A Disaster Telework (doing one s job via remote access) could be your business lifeline when the bridge is out, the storm is blowing or the earth is shaking. Here we offer examples of companies that put telework into practice during major disruptive events and provide tips for success in your organization. John Girard, Roberta J. Witty F4. Case Study: Demographics An Unknown BCM Risk The business world is faced with legal/ regulatory, strategic, and financial risks, but demographic risk has largely been ignored. For example, we have an aging workforce. This session helps you understand how demographics affect your company and identifies solutions strategies. Steve Hannah, Manager, Disaster Recovery, Waddell & Reed F5. Crisis/Incident Management Overview Business interruptions occur at a more rapid pace than ever before. Awareness of these events is taking its toll on company reputations. Here we discuss best practices for crisis/incident management programs that keep management in line and ensure a viable supply chain. Leif Eriksen, Roberta J. Witty F6a. Net IT Out: Business Continuity Management Planning Markets and Magic Quadrants The BCM software market is composed of three main categories: emergency/mass notification, BCM planning and crisis/incident management tools. This session and the next both provide the latest market analysis of these tools so that organizations can make the right tool choice for their needs. Leif Eriksen, John Girard, John P. Morency, Roberta J. Witty F6b. Net IT Out (continued): Business Continuity Management Planning Markets and Magic Quadrants Leif Eriksen, John Girard, John P. Morency, Roberta J. Witty F7. Strategies for Achieving Continuous Application Availability Continuous application availability eliminating planned and unplanned downtime is expensive and only justified for the most mission-critical applications. We analyze techniques and architectures to help achieve continuous availability while assessing people- and process-critical success factors. Donna Scott F8. Can I Recover Through the Cloud? Given the number of cloud-specific alternatives, organizations can now evaluate how a cloud-centric approach can improve the efficiency, effectiveness and economics of IT resilience. We discuss product and service choices, cloud-based recovery and early adopter implementation lessons. John P. Morency, Sheila Childs F9. Best Practices in Recovery Exercising Exercising IT DRM plans is a must do activity. Increasing time and resource costs are underscoring the need for more efficient approaches. This session discusses the software and management approaches now used by Gartner clients to improve exercise scope, execution and results. John P. Morency F10. Panel: Educating Boards of s and Management in the Business Case for BCM Investing in response, recovery, restoration and resilience is in the organization s best interests but can fall on deaf management ears. How do you make a compelling case for the business to continue in case of disruption without FUD? In this panel, seasoned BCM experts describe their approaches. Moderator: Roberta J. Witty TUTORIALS T5. BCM Maturity: Where We Are, Where We Should Be Going Organizations are maturing BCM programs across all industries as the threat of business interruptions rise. Using results of the BCM ITScore, this session reviews where organizations are across eight dimensions of BCM program management, where we should be in the next five years and how to get there. John P. Morency, Roberta J. Witty WORKSHOPS W5. Workshop: Implementing BCM Standards for BCM Maturity and Organizational Certification This three-hour workshop will review and compare the most common BCM standards, provide best practices for using them for organization certification, and then have attendees participate in a standards implementation exercise. John P. Morency, Roberta J. Witty RISK MANAGEMENT AND COMPLIANCE TRACK G Enterprise and Operational Risk Management G1. Road Map: Privacy, Marketing and Behavior Tracking A Risky Mandate Based on a Gartner Innovation Insight note on the business of behavior tracking and its IT implications, we explain why marketing will face pressure to increase behavior tracking activities (and social media monitoring and engagement) and what those responsible for privacy should be doing about it. Andrew Frank G2. The Missing Link: How Ignoring Business Processes Can Be Fatal for ERM By understanding business objectives and the processes underlying them, risk managers can gain insight to emerging risks across IT and the business. This presentation highlights business process management components that can bolster a company s risk management program without added investment. John A. Wheeler G4. Seven Keys to Successful and Cost-Effective Risk Oversight Given heightened regulatory scrutiny and increased liability, board members are looking Visit gartner.com/us/securityrisk for agenda updates and to register 23

24 SESSION DESCRIPTIONS to senior business and IT leaders to make major improvements in how companies manage risk. This presentation outlines a practical solution in the form of seven keys to successful and cost-effective risk oversight. John A. Wheeler G5. Global Supply Chain Risk: Perception and Management Tomorrow s profitability is built on today s risk management capabilities in an uncertain world. Modern supply chains are complex and exposed to many risks, such as commodity shortages, natural disasters, supply disruptions and external pressure from consumers, government, and NGOs. Discuss! Hiranya Fernando G6a. Net IT Out: The Realities of Cyberinsurance Risk managers today are searching for ways to minimize exposure to financial losses that result from information security breaches. This presentation explores the use of cyberinsurance as a potential loss mitigation strategy and discusses what companies should consider before purchasing a policy. John A. Wheeler G6b. Net IT Out: Selecting IT Risk Assessment Methods and Tools A Use Case Approach Effective IT risk assessment (RA) depends on managing a toolbox of assessment techniques and applying the most appropriate technique on a case-by-case basis. This presentation provides practical advice on selecting RA methods and tools, and on optimizing the utilization of the same. Paul E. Proctor G8. Risk-Adjusted Value Management Risk-Adjusted Value Management is a Gartner methodology that bridges the risk/business performance knowledge gaps. Using leading indicators of risk and performance, CIOs, CROs and CISOs can improve their relevance, budget justifications, and decision making. Paul E. Proctor G9. Technical Insights: Road Map Managing Multinational Privacy Risks in the Cloud As the use of cloud-based services increases, it is likely that even those organizations that thought they operated entirely within a single jurisdiction will find that their business, transactions and data all cross boundaries. It s critical to manage the privacy issues that can arise as a result. Ian Glazer G10. Six CIO Risk Techniques to Please Your Board Corporate directors are under pressure to improve their risk management oversight. IT leaders can adopt six risk management techniques that will improve the value of their risk management reporting to the board. French Caldwell RISK MANAGEMENT AND COMPLIANCE TRACK H Managing Legal and Compliance Risk H1. Lawyers, Users and IT Security: Ten Ways to Work Together to Reduce Risk and Improve Governance Information governance initiatives are increasing in number and scope, but the involvement of IT security and risk management is nonexistent or minimal. Learn how to work together, set common objectives and achieve security, risk and compliance objectives. Debra Logan, Jeffrey Wheatman H2. The Corporate Ethics Game Show: Let s Make a Deal or Jeopardy!? Just because it s legal to do, is it right? What if doing the right thing is bad for the enterprise? Does doing the right thing have an ROI? IT security professionals, risk managers and compliance coordinators face vexing moral dilemmas more than they want. This panel parses several real-life ethical scenarios, suggests appropriate courses of action, and fosters second thoughts for the next time you face a What do I do? moment. Joseph E. Schmitz, former DoD IG; John Bace, Guest Lecturer, John Marshall Law School H4. Lawyers, Users and IT: The Intersection of Law and Technology in 2012 Part 1. View From the Bench E-discovery has become ever more burdensome and expensive, with the cost of individual cases sometimes exceeding that of what used to comprise the total annual U.S. e-discovery cost. Have the amended rules of civil procedure failed against the rising tide of data that shows no signs of abating? Debra Logan, Lew Schwartz, Judges Panel H5. Lawyers, Users and IT: The Intersection of Law and Technology in 2012 Part 2. View From the Practitioners E-discovery has become ever more burdensome and expensive, with the cost of individual cases sometimes exceeding that of what used to comprise the total annual U.S. e-discovery cost. Have the amended rules of civil procedure failed against the rising tide of data that shows no signs of abating? Debra Logan, Lew Schwartz, Outside Panel H6a. Net IT Out: Compliance Controls When Are Yours Too Old? Many organizations are in a continuous program of maintaining controls that more or less function only to serve auditors and regulators. There are various control types, and each warrants a periodic re-evaluation based on changes in business requirements, compliance initiatives and risk tolerances. Khushbu Pratap H6b. Net IT Out: SAS 70 Is Gone So What Are the Alternatives? SAS 70, the audit standard once used to report on IT service providers and cloud vendors compliance-related controls, has now been replaced by SSAE 16. This transition is an opportunity for service providers and their customers to re-evaluate which internal controls assurances are truly needed. French Caldwell H8. Internal Auditors: Why They Do What They Do While audits may help correct and improve business functions and practices, they may not always adequately cover the most 24 Gartner Security & Risk Management Summit 2012 June National Harbor, MD

25 important risks, obligations and business requirements. A sound audit program can help contribute to ROI from compliance and risk management efforts. Khushbu Pratap H9. Improving Your Social Risk IQ Whenever there is a gap between public expectations and management s attention to an issue there are social risks, and those risks are growing daily. By 2015, any global enterprise, private or public sector, that does not improve its social risk intelligence will fail. French Caldwell H10. Managing Litigation and Regulatory Risks of Big Data Regulatory proliferation and e-discovery readiness have led to IT being more frequently involved in supporting data management activities. Challenges run from building the right team, to interpreting regulatory requirements, to policy development, to selecting the solutions for GRC and information governance. Sheila Childs H11. New Legal Methods for Collecting Cyberinvestigation and Social Media Evidence The source of evidence for digital investigations is changing. Previously, digital evidence was extracted from hardware in the possession of the investigator. Today, that evidence is increasingly found on the Web or in the cloud. Benjamin Wright of SANS shares how (and how not) to capture and preserve cyberevidence. Benjamin Wright, Attorney, SANS Institute Instructor: Law of Data Security and Investigations H12. Road Map: Intelligent Information Governance 2012 We seem to have too much information, but not enough of the right kind. Information governance is technically complex, organizationally challenging and politically sensitive. In this session you gain best practices and lessons learned from early adopters of information governance programs. Debra Logan WORKSHOPS W6. Workshop: Policy Critique In this workshop we examine and discuss examples of actual policy text, looking for typical weaknesses and deciding as a group whether the topic is practical to address through policy, and whether the text is likely to be effective. Attendees are encouraged to bring their own examples for group review. Jay Heiser W7. Workshop: Implementing COBIT 5 COBIT 5 is a major strategic improvement for providing the next generation of ISACA guidance on the governance and management of enterprise information and technology (IT) assets. Learn from ISACA s experts how to implement COBIT 5 in your enterprise. Robert Stroud, ISACA s Strategic Advisory Council W8. Workshop: Creating Key Risk Indicators for Your Company This 90-minute workshop follows the concepts from the session Using Key Risk Indicators to Influence Business Decision Making to help you develop your own set of organization-specific KPIs and KRIs. Paul E. Proctor GENERAL SESSIONS G3. Untangling the Multimillion-Dollar Madoff Ponzi Scheme Since 2008, Baker Hostetler s David J. Sheehan has overseen the litigation and case management of the liquidation of Bernard L. Madoff Investment Securities LLC as chief counsel to Securities Investor Protection Act Trustee, Irving Picard. With over 1,000 lawsuits filed seeking more than $100 billion, the unraveling of the fraud is a challenging mission that requires thorough investigations of global banking practices, financial instruments and feeder fund machinations, among countless other issues stemming from the largest and most complex financial fraud case in history. David J. Sheehan, Partner, Baker Hostetler; Lew Schwartz, Senior Vice President, General Counsel and Corporate Secretary, Gartner G7. Enterprise and Operational Risk Management: s Roundtable What the Board Wants Closing the gap between board expectations for risk management, IT organization views, and what is within the possible for GRC technologies is challenging for most enterprises. This is a high impact panel with board members, CIOs and other senior executives and advisors from major corporations. French Caldwell; Dale Kutnick, Gartner Executive Programs; Panelists ANALYST-USER ROUNDTABLES AUR8. Supply Chain Risks With business uncertainty unabated, natural disasters and new regulations, supply chains are under pressure. Share lessons learned with fellow participants. Hiranya Fernando AUR13. Audit Horror Stories What s your most outrageous auditor demand? Sit around the campfire with fellow participants, and share audit horror stories and lessons learned on negotiating with auditors. Khushbu Pratap AUR14. IT Availability In this roundtable discussion, Gartner clients share their experiences and learn from each other in the broad arena of IT resiliency. Topics may include best practices and critical success factors in the areas of continuous application availability, measuring availability, service-level agreements, disaster recovery testing, data center resiliency strategy and failover/failback. Donna Scott Visit gartner.com/us/securityrisk for agenda updates and to register 25

26 SESSION DESCRIPTIONS NEW PROGRAM! The Business of IT Security and Risk Track J J1. Security Markets Worldwide 2012 This session explores security markets, their growth forecasts and pending priorities, and ways the market landscape is changing. Eric Ahlm, Ruggero Contu J2. IT Security Survey: Study Results and Trends Analysis In this session we review the results of our most recent security survey data, collected at Gartner Security & Risk Summit 2011, including the top-of-mind technologies and buying behaviors of the participants. Ruggero Contu, Lawrence Pingree J3. Technical Insights: The Art of Saying Yes Selling Application Security to Architects and Developers Developers feel security too often says no, making projects late and over budget. Selling to architects and developers is challenging, but hidden inside application security are tools that make development easier and faster. Knowing how to articulate domain specific benefits makes the sale easier. Ramon Krikken J4. SWOT Analysis: IBM and HP Application and Data Security Large IT providers such as IBM and HP have a variety of security tools, professional services and solutions. Here we examine their application and data security profiles in terms of their strengths, weaknesses, opportunities and threats (SWOT). Joseph Feiman J5. Security Investors Perspectives Panel This investment capital panel discussion will bring security investment firms together into a room to discover the under the hood details from within the confines of the information security market investment community. Alberto Yepez, Trident Capital Group; Walter Pritchard, Citi Investment Research; John Rizzuto, Gartner Investment; Moderator: Vic Wheatman J6. Security Market Gartner Magic Quadrant Overview In this session, discover the latest Gartner Magic Quadrants and get a rundown of the latest major players in the security market, how they compete and what has changed. Greg Young J7. Security Journalists and Bloggers Panel Gartner analysts and new media reporters, bloggers and tweeters compare notes on the direction of security, how traditional and social media roles are interacting with the industry and threat-makers, and what is healthy or unwell about security communications today. Moderator: Greg Young J8. SWOT Analysis: McAfee, Symantec, Cisco While many identify Cisco as providing security solutions, it has historically been a network company. McAfee is now part of Intel. Symantec has branched out from security. What are these companies prospects going forward, and what will be their impact on investors? Eric Ahlm, Ruggero Contu, Peter Firstbrook J9. Security 2020: Technology, Business and Threat Discontinuities Reshaping IT Security Today s information security infrastructure security is static, overpriced and ill-suited to protect against ever-advancing threats. We explore technology and threat discontinuities that will force information security vendors to radically rethink how they approach security over the next five years. Neil MacDonald, Lawrence Pingree J10. Case Study: Increasing Collaboration Securely When Moving to Cloud-Based Apps How can CIOs who are not necessarily security experts become comfortable with cloud-based service? This presentation from marketing services company Dominion Enterprises explains how cloud-based and document sharing works from a security standpoint, and how concerns about storing important documents in the cloud can be addressed securely. Joe Fuller, Vice President and CIO, Dominion Enterprise By 2016, 40% of enterprises will make proof of independent security testing a precondition for using any type of cloud service Gartner Predicts 26 Gartner Security & Risk Management Summit 2012 June National Harbor, MD

27 SOLUTION SHOWCASE Today s leading solution providers and top innovators in the security, risk management and business continuity management space will be on-site with the most informed representatives, ready to answer your questions. Get the research, ask your questions, streamline the vetting process and leave with a shortlist you can act on immediately. PREMIER SPONSORS Sponsors as of April 3, 2012 and subject to change Cisco (NASDAQ: CSCO) is the worldwide leader in networking that transforms how people connect, communicate and collaborate. Cisco security balances protection and power to deliver highly secure collaboration. With Cisco security, customers can connect, communicate, and conduct business securely while protecting users, information, applications, and the network. Cisco pervasive security can help minimize security and compliance IT risk, reduce IT administrative burden, and lower TCO. Information about Cisco security can be found at Dell listens to customers and delivers worldwide innovative technology and business solutions they trust and value. Recognized as an industry leader by top analysts, Dell SecureWorks provides world-class information security services to help organizations of all sizes protect their IT assets, comply with regulations and reduce security costs. Thousands of customers around the world and an expert research team allow Dell SecureWorks to identify and protect against emerging threats faster. Our deep security expertise, flexible delivery options and commitment to service excellence make Dell SecureWorks a premier provider of Managed Security, Threat Intelligence and Security and Risk Consulting services. Google s cloud computing solutions allow you to dramatically lower IT costs and increase productivity, security and reliability. Google Apps is a 100% web suite of applications that includes Gmail, Google Calendar, Google Docs and Spreadsheets, Google Sites, and more. Google Postini services help make systems more secure, compliant and reliable by blocking spam and malware before they reach your networks, by providing encryption and archiving to help meet compliance requirements, and by offering continuity. Founded in 1999, Qualys is the leading provider of cloud-based information security and compliance solutions with 5,500+ customers in 85 countries, including 50 of the Forbes Global 100. The Qualys cloud-based platform and integrated suite of applications helps businesses simplify security operations and lower the cost of compliance by delivering critical security intelligence on demand and automating the full spectrum of auditing, compliance and protection for IT systems and web applications. RSA, The Security Division of EMC, is the premier provider of security, risk and compliance management solutions for business acceleration. RSA helps organizations solve their most complex and sensitive security challenges by bringing visibility and trust to millions of user identities, the transactions they perform and the data that is generated. RSA delivers identity assurance, encryption & key management, SIEM, Data Loss Prevention, Continuous Network Monitoring, and Fraud Protection with industry leading egrc capabilities and robust consulting services. Symantec is a global leader in providing security, storage and systems management solutions to help our customers from consumers and small businesses to the largest global organizations secure and manage their information-driven world against more risks at more points, more completely and efficiently. Our software and services protect completely, in ways that can be easily managed and with controls that can be enforced automatically enabling confidence wherever information is used or stored. Terremark, a Verizon Company, is a leader in transforming and securing enterprise-class IT on a global scale. Terremark sets the standard for IT deployments with advanced infrastructure and managed service offerings that deliver the scale, security, and reliability necessary to meet the demanding requirements of enterprises worldwide. With a global network of data centers and a comprehensive portfolio of secure solutions, Terremark helps enterprise and government executives realize the power of the cloud today. Websense, Inc. (NASDAQ: WBSN), a global leader in unified Web security, security, and data loss prevention (DLP) solutions, delivers the best content security for modern threats at the lowest total cost of ownership to tens of thousands of organizations worldwide. Distributed through partners and delivered as software, appliance and Security-as-a-Service (SaaS), Websense helps organizations leverage Web 2.0 and cloud communication, while protecting from advanced persistent threats, preventing confidential data loss and enforcing security policies. www. websense.com/content/home.aspx PLATINUM SPONSORS AT&T Inc. is a global leader in communications, with operating subsidiaries providing services under the AT&T brand. AT&T is a recognized leader in Business-related voice and data services, including global IP services, hosting, applications, and managed services. In the United States, Businesses of all sizes, all over the world, deploy these AT&T services to improve productivity, manage overall costs, and position themselves to take advantage of future technology enhancements. Check Point Software Technologies, the worldwide leader in securing the Internet, is the only vendor to deliver Total Security for networks, data and endpoints, unified under a single management framework. Check Point s dynamic Software Blade architecture delivers secure, flexible simple solutions that can be fully customized to meet the exact security needs of any organization or environment. Current customers include tens of thousands of businesses and organizations of all sizes including all Fortune 100 companies. CORE Security is the leading provider of predictive security intelligence solutions. We help more than 1,400 customers worldwide preempt critical security threats and more effectively communicate business risk. Our award-winning enterprise solutions are backed by over 15 years of expertise from the company s CoreLabs research center. Learn more at As the world s largest information technology company, IBM has 100 years of leadership in helping business and government organizations innovate. IBM s security portfolio provides the security intelligence to help organizations holistically protect its people, infrastructure, data and applications with solutions for identity/access management, database and network security, risk/endpoint management, and more. Visit gartner.com/us/securityrisk for agenda updates and to register 27

28 SOLUTION SHOWCASE PLATINUM SPONSORS Juniper Networks is in the business of network innovation. From devices to data centers, from consumers to cloud providers, Juniper Networks delivers the software, silicon and communications that transform the experience and economics of networking. Additional information can be found at Juniper Networks ( Kaspersky Lab is the world s largest privately-held Internet Security company, providing comprehensive protection against all forms of IT threats such as viruses, spyware, hackers and spam. The company s products provide in-depth computer defense for more than 300 million systems around the globe, including home and mobile users, small and medium sized businesses and large enterprises. Kaspersky technology is also incorporated inside the products and services of nearly 100 of industry leading IT, networking, communications and applications solution vendors. McAfee, a wholly owned subsidiary of Intel Corporation (NASDAQ:INTC), is the world s largest dedicated security technology company. McAfee provides system, network, and mobile security solutions that allow users to safely connect to the Internet, browse, and shop online. Backed by global threat intelligence, our innovative products empower home users and organizations by enabling them to prove compliance, protect data, prevent disruptions, identify vulnerabilities, and monitor and improve their security. McAfee is relentlessly focused on constantly finding new ways to keep our customers safe. Recent events prove that networks will be compromised despite state-of-the-art defenses... Introducing NeuSentry by Neustar, a service that detects data breaches that other security tools miss, then generates real-time alarms that enable customers to mitigate damages caused by those breaches. NeuSentry - The New Layer in Cybersecurity Information Assurance. Oracle (NASDAQ: ORCL) is the world s most complete, open, and integrated business software and hardware systems company. For more information about Oracle, visit oracle.com. Palo Alto Networks is the network security company. Its next-generation firewalls enable unprecedented visibility and granular policy control of applications and content at up to 20Gbps with no performance degradation. Its firewalls accurately identify and control applications regardless of port, protocol, evasive tactic or SSL encryption, and scan content to stop threats and prevent data leakage. Palo Alto Networks extends this same network security to remote users with GlobalProtect and combats targeted malware with WildFire. Quest One Identity Solutions simplify identity and access management to increase compliance, security and efficiency. Our modular yet integrated approach features a broad portfolio of award-winning solutions that simplify access governance, user activity monitoring, privileged account management and identity administration. Unlike traditional framework solutions, Quest One provides granular enforcement across heterogeneous systems with 360-degree business visibility and rapid time to value! Learn why Quest One earned SC Magazine s highest five-star RECOMMENDED rating or visit Founded in 2002, Secunia is the leading provider of IT security solutions that help businesses and private individuals globally manage and control vulnerability threats and risks across their networks and endpoints. Secunia plays an important role in the IT security ecosystem, and is the preferred supplier for enterprises and government agencies worldwide, counting Fortune 500 and Global 2000 businesses among its customer base. RELEVANT. INTELLIGENT. SECURITY Solutionary reduces the information security and compliance burden, delivering flexible managed security services that align with client goals, enhancing organizations existing security program, infrastructure and personnel. Services are based on experienced security professionals, data-driven and actionable threat intelligence, and the ActiveGuard service platform that provide expert security and compliance management. Solutionary works as an extension of clients internal teams, providing industry-leading customer service, thought leadership, years of innovation and proprietary certifications that exceed industry standards. Guided by its vision of Dynamic Security for the Global Network, SonicWALL develops advanced intelligent network security and data protection solutions that adapt as organizations evolve and as threats evolve. Trusted by enterprises worldwide, SonicWALL solutions are designed to detect and control applications and protect networks from intrusions and malware attacks through award-winning hardware, software and virtual appliance-based solutions. For more information, visit Sourcefire, Inc. (Nasdaq:FIRE) is a world leader in intelligent cybersecurity solutions. Sourcefire is transforming the way Global 2000 organizations and government agencies manage and minimize network security risks. Sourcefire s Next-Generation IPS, Next-Generation Firewall, virtual, and anti-virus/malware solutions equip customers with an efficient and effective layered security defense - protecting network assets before, during and after an attack. Today, the name Sourcefire has grown synonymous with innovation and cybersecurity intelligence. For more information: sourcefire.com. Splunk Inc. provides the engine for machine data. Splunk software collects, indexes and harnesses the machine data continuously generated by the websites, applications, servers, networks and mobile devices that power business. Splunk software enables organizations to act on massive streams of real-time and historical machine data. More than 3,300 customers in over 75 countries use Splunk Enterprise to gain operational intelligence that deepens business understanding, improves service and uptime, reduces cost and mitigates cyber-security risk. Trend Micro Incorporated, a global cloud security leader, creates a world safe for exchanging digital information with Internet content, security and threat management solutions. We deliver top-ranked client, server, and cloud-based security to fit customer and partner needs, stop threats faster, and protect data in physical, virtualized and cloud environments. Powered by the Trend Micro Smart Protection Network infrastructure, our technology, products, and services stop threats where they emerge. For more information, visit Tripwire is a leading global provider of IT security and compliance automation solutions. Tripwire VIA, the comprehensive suite of industry-leading file integrity, policy compliance and log and event management solutions, is the way organizations proactively achieve continuous compliance, mitigate risk, and ensure operational control through Visibility, Intelligence and Automation. Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. Trustwave has helped thousands of organizations-ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers-manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, Asia and Australia. For more information, visit 28 Gartner Security & Risk Management Summit 2012 June National Harbor, MD

29 PLATINUM SPONSORS Veracode provides the world s leading Application Risk Management Platform. Veracode SecurityReview s patented and proven cloud-based capabilities allow customers to govern and mitigate software security risk across a single application or an enterprise portfolio with unmatched simplicity. Veracode was founded with one simple mission in mind: to make it simple and cost-effective for organizations to accurately identify and manage application security risk. Founded in 2001, WhiteHat Security provides end-to-end solutions for Web security. The company s cloud technology platform and leading security engineers turn verified security intelligence into actionable insights for customers. Through a combination of core products and strategic partnerships, WhiteHat Security provides complete Web security at a scale unmatched in the industry. WhiteHat Sentinel, the company s flagship product line, is the website security solution of choice, covering thousands of websites in every industry including ecommerce, finance and healthcare. SILVER SPONSORS 21st Century Software, Inc. BreakingPoint FireMon Mimecast Skybox Security, Inc. Absolute Software Corp. Centrify Fischer International Identity Modulo LLC Solera Networks AccessData Group CloudLock ForeScout Technologies, Inc. ncircle SSH Communications Security ActivIdentity Inc. CloudPassage Fortinet NetIQ Tenable Network Security, Inc. Agiliance ControlPanelGRC FoxT NSFOCUS Thomson Reuters AirWatch COOP Systems Hitachi ID Systems, Inc. Okta TrustSphere Alert Enterprise Inc. Courion Corporation HP Enterprise Security PhishMe Incorporated Tufin Technologies Approva an Infor affiliate Critical Watch Imperva PhoneFactor Venafi, Inc. Aveksa Cyber-Ark Software Lancope Rapid7 Verdasys BeyondTrust Software Cyveillance, a QinetiQ Company LogRhythm, Inc. RedSeal Networks, Inc. VMware Bit9, Inc. Damballa Lumension Rsam Vormetric, Inc. Blue Coat Systems Digital Defense, Inc. M86 Security SailPoint Xceedium, Inc. Booz Allen Hamilton Fiberlink Mandiant SecureAuth Corporation ZixCorp Bradford Networks FireEye, Inc. MetricStream SilverbackMDM MEDIA PARTNERS Technology Evaluation Centers BECOME A SPONSOR Stephen Gibertoni Sales [email protected] Silas Mante Account Manager [email protected] David Sorkin Senior Account Manager [email protected] Krista Way Account Manager [email protected] John Forcino Account Manager [email protected] Visit gartner.com/us/securityrisk for agenda updates and to register 29

30 AGENDA AT A GLANCE Sunday, June 10 4:00 p.m. Registration Monday, June 11 7:00 a.m. Registration 8:30 a.m. T1. FedRAMP Focus: Government Strategies for Secure Use of Cloud John Pescatore T2. Best Practices for Owning Your Airwaves to Provide Security, Maximize Performance and Mitigate Interference Tim Zimmerman T3. Top Security Trends and Take-Aways for 2012 and 2013 Ray Wagner T4. IAM RFP: Choosing the Best Solutions for Your Business Earl Perkins T5. BCM Maturity: Where We Are, Where We Should Be Going John P. Morency, Roberta J. Witty 10:00 a.m. K1a. Welcome and Opening Remarks Vic Wheatman (10:15 a.m.) K1b. Opening Keynote Strategic Road Maps for IT Security and Risk Management Andrew Walls CISO IT SECURITY BCM RISK AND COMPLIANCE Business OF SECURITY AND risk 11:30 a.m. A1. Security and Risk Management as a Social Science Tom Scholtz The CISO Infrastructure Protection Secure Business Enablement Business Continuity Management Enterprise and Operational Risk Management Managing Legal and Compliance Risk The Business of IT Security and Risk B1. The Security State of the Cloud Jay Heiser C1. Road Map: The Next Generation of Firewalls and IPS Greg Young 12:30 p.m. Attendee Lunch and Solution Showcase Dessert Reception 1:00 p.m. Theater Presentations 2:45 p.m. K2. Mastermind Interview With Michael Dell, Chairman and CEO, Dell Moderators: Neil MacDonald, Earl Perkins 3:45 p.m. Solution Provider Sessions 5:00 p.m. A2. Security Program Management Overview F. Christian Byrnes B2. Road Map: Operationalizing Data and Application Defenses Against Hackers and Employees Joseph Feiman 6:00 p.m. Solution Showcase Evening Reception Tuesday, June 12 7:00 a.m. Registration Breakfast by Role and Industry 8:15 a.m. A3. When Risk Management Does More Harm Than Good: RM 101 Jay Heiser B3. The Endpoint Protection Platform in the Age of Tablets and Clouds Peter Firstbrook 9:30 a.m. Solution Provider Sessions 10:45 a.m. A4. Metrics That Matter Jeffrey Wheatman B4. Case Study: The World Trade Center s Situational Awareness Platform Lou Barani, of Security, World Trade Center; Moderator: Jeff Vining 11:45 a.m. Solution Showcase Lunch Theater Presentations 2:00 p.m. A5. Security and Risk Governance: It s Much More Than Just Reporting F. Christian Byrnes, Tom Scholtz B5. Road Map: Secure Communications With Partners and Customers Peter Firstbrook C2. Big Data and Security: Integrating Security and Operations Data for Improved IT Intelligence Neil MacDonald C3. Monitoring Users for Security Intelligence: Threats and Opportunities Andrew Walls C4. Mobile Security Risks in Depth: How Safe Is the Data on Your Smartphone and Tablet? John Girard, Lawrence Pingree C5. Case Study: DoD s Approach to Security Testing Ray Letteer, Chief, Cyber Security Division of the U.S. Marine Corps 3:15 p.m. Solution Provider Sessions 4:30 p.m. A6a. Net IT Out: Articulating the Business Value of B6a. Net IT Out: Breaking Down the Walls While Sharing C6a. Net IT Out: Technical Insights Securing Information Security Tom Scholtz Data Securely Jay Heiser Browser-Based Applications Mario de Boer 4:55 p.m. A6b. Net IT Out: Developing the Key Competencies of the B6b. Net IT Out: The DLP Process Is More Than Just a C6b. Net IT Out: Road Map Gaining Control of New Security Team Tom Scholtz Piece of Technology Rob McMillan Consumerization Lawrence Orans 5:30 p.m. K3. Guest Keynote Cybersecurity: A View From the White House Howard Schmidt, Cybersecurity Coordinator and Special Assistant to the President (Accepted) Wednesday, June 13 7:00 a.m. Registration 7:30 a.m. Breakfast With the Analysts 8:30 a.m. A7. How to Run, Grow and Transform Your Risk and Security Program Paul E. Proctor B7. SIEM for Hybrid Technology and Services Deployments Kelly M. Kavanagh, Mark Nicolett 9:45 a.m. Solution Provider Sessions 11:00 a.m. W1. Workshop: ITScore For Security Management B8. Technical Insights: Security Monitoring for the Cloud and F. Christian Byrnes in the Cloud Anton Chuvakin 12:00 p.m. Solution Showcase Lunch and Theater Presentations Exhibits and Theater Presentations 1:30 p.m. A9. Optimizing the Information Security Organization Jeffrey Wheatman B9. The New Dangers of Machine to Machine (M2M) in the Enterprise Tim Zimmerman C7. Technical Insights: Mobility and Security Gartner Field Research Project on Mobility and Consumerization Eric Maiwald C8. Deep Dive Into Internet Infrastructure Attacks Lawrence Orans, John Pescatore C9. Presenting a Hard Target to Attackers: Road Maps for Effective Vulnerability Management Mark Nicolett D1. Protecting Your Network in the Era of BYOD Lawrence Orans D2. Taking Privacy to the Next Level With a Privacy Program Carsten Casper E1. Higher, Faster, Stronger: The Performant IAM Program Ant Allan E2. Road Map: IAM Operations The IAM Data Model Earl Perkins D3. Road Map: Operationalizing Encryption Eric Ouellet E3. IAM Best Practices for Planning, Implementing and Managing IAM Within Your Enterprise Perry Carpenter D4. Technical Insights: Operationalizing PCI DSS Compliance Anton Chuvakin D5. Technical Insights: Improving Collective Defenses Through Information-Sharing and Threat Intelligence Dan Blum D6a. Net IT Out: Emerging Technologies for Privacy Protection and Privacy Management Carsten Casper D6b. Net IT Out: Job Security in Cloud Era Will Jobs Stay or Vaporize? Joseph Feiman D7. Operationalize Social Media to Improve Security Performance Andrew Walls E4. Layered Fraud Prevention for Land-Based and Mobile Computing Avivah Litan E5. Why Your Security Awareness Program Is Doomed (and What You Can Do to Rescue It) Perry Carpenter, Andrew Walls F1. How Real-World Disasters Are Improving Business Resilience: Lessons Learned Since 9/11 John P. Morency, Roberta J. Witty F2. Case Study: Intel s Response to the Fukushima Earthquake/Tsunami Jeff Selvala,, Assembly Test Global Materials, Intel; Roberta J. Witty F3. Case Study: Teleworking Through a Disaster John Girard, Roberta J. Witty F4. Case Study: Demographics An Unknown BCM Risk Steve Hannah, Manager, Disaster Recovery, Waddell & Reed F5. Crisis/Incident Management Overview Leif Eriksen, Roberta J. Witty G1. Road Map: Privacy, Marketing and Behavior Tracking A Risky Mandate Andrew Frank G2. The Missing Link: How Ignoring Business Processes Can Be Fatal for ERM John A. Wheeler H1. Lawyers, Users and IT Security: Ten Ways to Work Together to Reduce Risk and Improve Governance Debra Logan, Jeffrey Wheatman H2. The Corporate Ethics Game Show: Let s Make a Deal or Jeopardy!? Joseph E. Schmitz, former DoD IG; John Bace, John Marshall Law School G3. General Session Untangling the Multimillion-Dollar Madoff Ponzi Scheme David J. Sheehan, Partner, Baker Hostetler; Lew Schwartz, Senior Vice President, General Counsel and Corporate Secretary, Gartner G4. Seven Keys to Successful and Cost-Effective Risk Oversight John A. Wheeler G5. Global Supply Chain Risk: Perception and Management Hiranya Fernando E6a. Net IT Out: One-Time-Password Hardware F6a. (4:30 p.m.) and F6b. (4:55 p.m.) Net IT Out: Business G6a. Net IT Out: The Realities of Cyberinsurance Tokens Going, Going Not Quite Gone Ant Allan Continuity Management Planning Markets and Magic John A. Wheeler E6b. Net IT Out: The Undeath of PKI Eric Ouellet Quadrants Leif Eriksen, John Girard, John P. Morency, G6b. Net IT Out: Selecting IT Risk Assessment Methods and Roberta J. Witty Tools A Use Case Approach Paul E. Proctor E7. Q&A Session: The Identity and Access Management Marketplace Ant Allan, Perry Carpenter, Gregg Kreizman, Earl Perkins, Ray Wagner W2. Workshop: ITScore for Privacy Carsten Casper W3. Workshop: ITScore for IAM Perry Carpenter, Ray Wagner D9. Case Study: TBA E9. Managing Identity and Access in the Hybrid World Gregg Kreizman 2:45 p.m. Solution Provider Sessions 4:00 p.m. A10. Ignore Enterprise Data Protection at Your Peril B10. The Mobile Security Brothers Traveling Roadshow C10. NIST s National Initiative for Cybersecurity Education D10. Technical Insights: SaaS Security Trust Versus Jeffrey Wheatman John Girard, John Pescatore (NICE): What CIOs Need to Leverage Steve Hawald Technology Dan Blum 5:15 p.m. K4. Guest Keynote Information Security and Technology In General Problem Solved. You re Welcome John Hodgman, Actor, Author and Correspondent for The Daily Show 6:15 p.m. Summit Party VIP Boat Cruise Thursday, June 14 7:30 a.m. Registration Breakfast by Industry and Role 8:00 a.m. A11. Quo Vadis, CISO? Developing a Realistic Infosec Management Strategy Rob McMillan, Tom Scholtz 9:15 a.m. A12. Road Map: Intelligent Information Governance 2012 Debra Logan B11. How to Securely Deploy and Manage Whitelisting to Counter Advanced Threats Neil MacDonald B12. Case Study: Toward a Secure Community Cloud for a Manufacturing Sector Doug Simmons, Gartner Consulting Agenda as of April 3, 2012, and subject to change C11. Manage Your Security Vendors or Be Mangled Greg Young C12. Network Security Open Q&A Eric Ahlm, John Girard, Kelly M. Kavanagh, John Pescatore, Greg Young 10:30 a.m. A13. Trust: The Elusive Final Ingredient Jay Heiser C13. Technical Insights: Network Security Architecture for Internal Private Clouds Eric Maiwald 11:45 a.m. K5. Closing Insights and a Review of Aha Moments Ray Wagner W4. (8 10 a.m.) Workshop: Securing the Access Layer Identifying the Right Authentication Strategy for BYOD, Contractors, Guests and Employees Lawrence Orans, Tim Zimmerman D13. Developing and Implementing a Superior Mobile Device Policy John Girard E10. Socrates Was Wrong: A Debate Rob McMillan, Andrew Walls, Earl Perkins, Tom Scholtz, Vic Wheatman E11. Case Study: Securing the Digital Nation The New Frontier of Cybersecurity Training and Education Keith Gordon, Senior Vice President, Security and Fraud and Enrollments, Online and Mobile Channels, Bank of America E12. Technical Insights: Endpoint Virtualization Security Considerations Mario de Boer F7. Strategies for Achieving Continuous Application Availability Donna Scott F8. Can I Recover Through the Cloud? John P. Morency, Sheila Childs H4. Lawyers, Users and IT: The Intersection of Law and Technology in 2012 Part 1. View From the Bench Debra Logan, Lew Schwartz, Judges Panel H5. Lawyers, Users and IT: The Intersection of Law and Technology in 2012 Part 2. View From the Practitioners Debra Logan, Lew Schwartz, Outside Panel H6a. Net IT Out: Compliance Controls When Are Yours Too Old? Khushbu Pratap H6b. Net IT Out: SAS 70 Is Gone So What Are the Alternatives? French Caldwell G7. General Session Enterprise and Operational Risk Management: s Roundtable What the Board Wants French Caldwell, Dale Kutnick, Panelists G8. Risk-Adjusted Value Management Paul E. Proctor H8. Internal Auditors: Why They Do What They Do Khushbu Pratap F9. Best Practices in Recovery Exercising John P. Morency G9. Technical Insights: Road Map Managing Multinational Privacy Risks in the Cloud Ian Glazer F10. Panel: Educating Boards of s and Management in the Business Case for BCM Moderator: Roberta J. Witty W5. (8:00 11:30 a.m.) Workshop: Implementing BCM Standards for BCM Maturity and Organizational Certification John P. Morency, Roberta J. Witty G10. Six CIO Risk Techniques to Please Your Board French Caldwell J1. Security Markets Worldwide 2012 Eric Ahlm, Ruggero Contu J2. IT Security Survey: Study Results and Trends Analysis Ruggero Contu, Lawrence Pingree J3. Technical Insights: The Art of Saying Yes Selling Application Security to Architects and Developers Ramon Krikken J4. SWOT Analysis: IBM and HP Application and Data Security Joseph Feiman J5. Security Investors Perspectives Panel Alberto Yepez, Trident Capital Group; Walter Pritchard, Citi Investment Research; John Rizzuto, Gartner Investment; Moderator: Vic Wheatman J6. Security Market Gartner Magic Quadrant Overview Greg Young J7. Security Journalists and Bloggers Panel Moderator: Greg Young J8. SWOT Analysis: McAfee, Symantec, Cisco Eric Ahlm, Ruggero Contu, Peter Firstbrook H9. Improving Your Social Risk IQ French Caldwell J9. Security 2020: Technology, Business and Threat Discontinuities Reshaping IT Security Neil MacDonald, Lawrence Pingree H10. Managing Litigation and Regulatory Risks of Big Data Sheila Childs W6. Workshop: Policy Critique Jay Heiser W7. (8:00 9:00 a.m.) Workshop: Implementing COBIT 5 Robert Stroud, ISACA s Strategy Advisory Council W8. (9:15 11:30 a.m.) Workshop: Creating Key Risk Indicators for Your Company Paul E. Proctor H11. New Legal Methods for Collecting Cyberinvestigation and Social Media Evidence Benjamin Wright, SANS Institute H12. Road Map: Intelligent Information Governance 2012 Debra Logan J10. Case Study: Increasing Collaboration Securely When Moving to Cloud-Based Apps Joe Fuller, Dominion Enterprises

31 REGISTRATION 3 easy ways to register Web: gartner.com/us/securityrisk [email protected] Phone: Gartner clients A Gartner ticket covers all four days of the summit. Contact your account manager or [email protected] to register using a ticket. EARLY-BIRD DISCOUNT EXTENDED! Save $300 when you register by April 20. Early-bird price: $1,995 Standard price: $2,295 Public-sector price: $1,895 Bring your team and save! We ve designed a program that will help teams of four to 25 maximize the summit experience while on-site and long after the event is over. Team Benefits Team meeting with a Gartner analyst (end users only) Role-based agendas On-site team contact: Work with a single point of contact for on-site team deliverables Complimentary registrations Complimentary Registrations 1 complimentary registration reward with 3 paid registrations 2 complimentary registration rewards with 5 paid registrations 3 complimentary registration rewards with 7 paid registrations To register a team please [email protected] or contact your Gartner account manager. SPECIAL GARTNER HOTEL ROOM RATE $240 per night (plus tax) at the Gaylord National A limited supply of rooms are available at a special government rate of $229. Gaylord National Hotel and Convention Center 201 Waterfront Street National Harbor, MD Phone: gaylordhotels.com Become a Gartner client Phone: [email protected] Visit gartner.com/us/securityrisk for agenda updates and to register 33

32 Gartner, Inc. 56 Top Gallant Road Stamford, CT Presorted Standard U.S. Postage PAID Gartner PO Box Shawnee, KS Change Service Requested Gartner Security & Risk Management Summit 2012 June National Harbor, MD gartner.com/us/securityrisk Intelligence for today s business-critical IT security and risk management function Priority code Scan for more information! 2012 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. Risk-Adjusted Value Management is a trademark of Gartner or its affiliates. For more information, [email protected] or visit gartner.com. CONNECT WITH GARTNER Connect with the Gartner Security & Risk Management Summit 2012 on Twitter and LinkedIn. #gartnersecurity GLOBAL Security & Risk Management EVENTS Gartner Security & Risk Management Summit 2012 July Sydney, Australia Gartner Security & Risk Management Summit 2012 September London, U.K. Gartner Security & Risk Management (xchange) 3 EASY WAYS TO REGISTER Web: gartner.com/us/securityrisk [email protected] Phone: