Gartner Security & Risk Management Summit 2015 June 8 11 National Harbor, MD gartner.com/us/securityrisk Manage Risk and Deliver Security in a Digital World Trip Report Gartner Security & Risk Management Summit 2015 was held on June 8 11 at the Gaylord National Resort & Convention Center in National Harbor, MD. This report summarizes and provides highlights from the event. Overview At the 21st annual Gartner Security & Risk Management Summit, attendees participated in on-site benefits, heard the latest IT security and risk management presentations from the Gartner research community on today s most pressing topics, attended workshops run by expert analysts and industry leaders, heard real-life experiences during peer case studies, engaged in analyst-user roundtables and one-on-one meetings with Gartner analysts, and checked out the latest solutions at the Solution Showcase. Attendees walked away with actionable solutions to key topics, including how to: Gain role-specific tools and strategies to stay ahead of expanding scopes of responsibility and increasing threats Align security and risk management strategies with enterprise objectives Gaylord National Resort & Convention Center Assure compliance by learning the new privacy and e-discovery regulations and requirements Apply the latest techniques to tackle risks in cloud, operational technology (OT), the Internet of Things (IoT) and IT Maximize enterprise ROI by using the latest business continuity management (BCM) and enterprise resilience practices Andrew Walls speaking at Gartner Security & Risk Management Summit 2015 Save the date Gartner Security & Risk Management Summit 2016 will take place June 13 16, in National Harbor, MD, at the Gaylord National Resort & Convention Center. Be sure to bookmark the website, gartner.com/us/securityrisk, and check back for 2016 conference updates. Table of contents 2 Findings from Gartner Security & Risk Management Summit 2015 5 Gartner keynotes 6 Guest keynotes 7 Conference highlights 8 Top 5 most-attended sessions 9 Snapshot of attendees 10 Sponsors 13 Post-event resources 14 Renewal 1
Gartner Security & Risk Management Summit 2015 June 8 11 National Harbor, MD gartner.com/us/securityrisk Findings from Gartner Security & Risk Management Summit 2015 Here are key recommendations from this year s most popular Gartner analyst sessions especially useful for your 2015 planning and strategy considerations. A11. Why Your Policy is Broken and How You Can Fix It Rob McMillan, Director Review your policy for common policy problems. Verify that you have an effective process in place for ensuring that your people are aware of the policy and its requirements. Stress-test your policy to look for potential failures. Assess the extent to which you can prove that your external providers are managing to your policy and adjust as required. Adjust your policy to address the policy problems that you identify. Implement a program to assess compliance and detect anomalies. B9. Mobile Security Threats and Trends 2015 John Girard, Vice President and Distinguished Analyst; Dionisio Zumerle, Director Review your mobile policy and identify the key participants in the enterprise mobility program. Translate your technical risk into enterprise risk, define a direction and ask for top management validation. Abandon device-centric lockdown security for app-centric models. Experiment with data-centric solutions, but be aware of immaturity. Focus your efforts on providing solutions that are tailored for mobile use and therefore obviate shadow IT practices. Act tactically: Assess your post-deployment posture, close gaps and refresh again in six to 12 months. C1. The Cloud Security Scenario Jay Heiser, Vice President Build cloud security and control competencies. Develop and enforce cloud governance policies: Data classification and risk acceptance and ownership of data and departmental applications. Manage your accounts (especially privileged ones). Ensure that you have contingency plans. Demand CSPs follow standards and provide third-party security assessments. Rob McMillan John Girard Dionisio Zumerle Jay Heiser 2
Findings from Gartner Security & Risk Management Summit 2015 D8. Future-Proofing IAM Ant Allan, Vice President Identify your organization s strategies for and stakeholders in digital business, IoT and the digital workplace. Determine where IAM creates unnecessary friction in the digital workplace. Get to know your IAM vendors plans to support external identity providers, ABAC and so on. Identify alternatives. Update your IAM strategic plan to reflect digital business, IoT and digital workplace goals. Develop a strategy for bimodal IAM. Plan for fundamental changes in IAM teams skills, staffing and structure. Simplify your IAM architecture and operations by embracing people-centric security principles. E9. Mobile Device Security: A Comparison of Platforms Patrick Hevesi, Director Understand the mobile threat landscape. Be cautious when investing in mobile device security apps. Set mobile OS version standards and deny older versions (ios 8, Samsung Knox, Windows 8.1). In a bring-your-own-device (BYOD) program: Choose devices with strong native controls over devices lacking adequate controls or with security settings that can be disabled by users. Alternatively, complement device controls with additional software such as managed information containers. In fully managed high-security organizations, choose hardened devices with highly granular policy management capabilities. Ant Allan Patrick Hevesi Paul E. Proctor F5. Building Advanced KRIs: Risk Metrics That Influence Business Decisions Paul E. Proctor, Vice President and Distinguished Analyst Review all of your dashboards and metrics. Define the audience they address. Determine the decisions for the audience who is influenced by the metrics. Determine the causal relationships each metric has to a business dependency. Revise your metrics to be leading indicators. Reposition. Move IT operational metrics away from business decision makers. 3
Gartner Security & Risk Management Summit 2015 June 8 11 National Harbor, MD gartner.com/us/securityrisk Findings from Gartner Security & Risk Management Summit 2015 (continued) G8. Software Licensing Is a Risk. Is Your Organization Managing It? Victoria Barber, Director Find out who your asset manager is. Understand the current state of software asset management in your organization. Insist that investment is made to reduce current licensing risk. Support the asset manager to develop and mature software asset management. Leverage software asset management data to identify and quantify business risk. Victoria Barber Enforce license compliance through process and controls. H13. The Current State of Cloud-Based Recovery and Continuity John P. Morency, Vice President Decide which recovery requirements must be supported now and later. Define your priorities for platform support and data replication support requirements. Evaluate vendors from a recovery assurance perspective: Define the availability, recovery and performance requirements and document them in SLA terms. John P. Morency Assess carefully the extent to which a service provider can reduce the time, cost and logistics of recovery exercising. Quantify the required implementation time, license costs and monthly services cost differences between the alternatives. Perform pricing due diligence with the finalists. Decide which provider type (if any) is most appropriate. J3. User Authentication Vendors Are Not the Only User Authentication Vendors Ant Allan, Vice President Inventory your user authentication use cases. Review how incumbent solutions meet trust, TCO and UX needs. Identify use cases in need of new methods or wholly new solutions. Identity use cases where adaptive access control can add value. Select vendors to meet the needs identified above. Plan for longer-term changes as new technologies become available. This conference is the premier conference for security and risk management professionals. The content and networking are highlights of an amazing team of analysts. Stephen Zalewski, Security Architect, Pacific Gas and Electric Company 4
Gartner keynotes Manage Risk and Deliver Security in a Digital World Ant Allan, Vice President; Peter Firstbrook, Vice President; Avivah Litan, Vice President and Distinguished Analyst In the opening keynote, Gartner analysts discussed how effective cybersecurity is the foundation of successful digital business. As organizations leverage new technology and business processes t o deliver services and products to global markets, security and risk managers must support achievement of enterprise objectives while mitigating security risks to an acceptable level. The analysts stressed that in order to achieve success, security and risk leaders must embrace new approaches to digital business while maintaining proven control architecture that mitigates enterprise risk. Ant Allan Cybersecurity Scenario 2020: The Impact of Digital Business on Security F. Christian Byrnes, Managing Vice President Two years ago, Gartner had provided a scenario covering the evolution of the threat environment through 2020. Today, our senior analysts have assembled a picture of how digital business will impact the security practice in that same time frame. F. Christian Byrnes explained how this is yet another key input to long-term strategic planning and showed how it will also impact business life. Peter Firstbrook The Great Race to Digital Moments Chris Howard, Vice President and Distinguished Analyst In the closing keynote, Chris Howard delved into how digital moments come in all forms: moments for customers or employees, moments of commerce and engagement, and moments where an organization needs to capitalize on something unexpected by integrating data and function on the spot. He explained how digital moments are opportunities to achieve enterprise objectives, but they also involve new risks. Our growing experience with mobility, analytics, cloud and social connectivity creates the platform to support these moments, increasingly amplified by the IoT. Howard then explored several of these digital moments and their implications for security and risk professionals. Avivah Litan F. Christian Byrnes Chris Howard 5
Gartner Security & Risk Management Summit 2015 June 8 11 National Harbor, MD gartner.com/us/securityrisk Guest keynotes U.S. Intelligence, Defense and Cybersecurity Strategies Leon Panetta, U.S. Secretary of Defense (2011-2013), and Director, Central Intelligence Agency (2009-2011) Leon Panetta discussed U.S. intelligence and cybersecurity strategies from his experience as the 23rd Secretary of Defense from 2011 through 2013. Panetta shared how he oversaw the final removal of American troops from Iraq as well as the beginning of troop withdrawals from Afghanistan. He then touched on defense strategies from when he led the effort to develop a new defense strategy to advance greater agility, protect national security and meet fiscal discipline, which in turn opened up new opportunities for everyone to serve in the military and protected benefits for wounded warriors and their families. Leon Panetta Inkjet Business Model Considered Harmful Cory Doctorow, Journalist, Science Fiction Author, Activist and Blogger Cory Doctorow discussed how the IoT is being born with the inkjet printer business model: ecosystems of devices that can only be connected with the manufacturer s approval. This allows manufacturers to command high margins for the consumables, chargers and add-ons you have to buy to keep using the stuff you already own. He then explained that the real danger comes as soon as you design a computer to thwart its owner s desires. This then sets in motion a set of security, policy and technology decisions that ends with spyware shipping out of the box on every device. Corey Doctorow 6
Conference highlights 6 keynotes featuring Gartner analysts and industry experts Manage Risk and Deliver Security in a Digital World Welcome Remarks and Program Roadmap Cybersecurity Scenario 2020: The Impact of Digital Business on Security Guest Keynote: U.S. Intelligence, Defense and Cybersecurity Strategies Guest Keynote: Inkjet Business Model Considered Harmful The Great Race to Digital Moments 107 Gartner track sessions Some selected topics The New CISO s Crucial First 100 Days How the Internet of Things Will Change Cybersecurity Forever Magic Quadrant for Operational Risk Management The Availability Implications for Digital Business Network Security Guide to BYOD 2015 Update Top Trends and Take-Aways for Cybersecurity 11 end-user case studies Some selected topics Information Security Is a Business Continuity Issue: Are You Ready? Top Threats, Vulnerabilities and Hiring Challenges What Is a CISO to Do? Developing a Medical Device Security Program What Makes Organizations Resilient and Why You Should Care How to Present Risk to Board-Level Management: Key Take-Aways From Visa Future of Sales in Information Security 27 roundtable discussions (Gartner-analyst-moderated) Some selected topics Using a Virtual Team to Manage IT Asset Risks What Can We Expect From the Upcoming EU Data Protection Regulation? Presenting to the Board and Executive Committees Comparing Best Practices for Cloud Risk Management Information Security Metrics What Is Information Governance Technology and How Is It Being Used? 7
Gartner Security & Risk Management Summit 2015 June 8 11 National Harbor, MD gartner.com/us/securityrisk Conference highlights (continued) 6 workshops Essential Communication and Conflict Resolution Skills for Security Leaders The Gartner ITScore Maturity Model for IAM Make the Business Case and Obtain BCM Program Executive Sponsorship IT Security: Planning a Self-Audit Start Your DLP Project By Making It Relevant The Language of Change: Overcoming Change Resistance and Transforming Culture 3 debate sessions Quantitative vs. Qualitative Risk Assessment We Will Fail If We Try to Protect All Data and Processes That We Own Debating Pervasive Data-at-Rest Encryption: Great Security or Grand Illusion? Join the conversation Connect with Gartner Security & Risk Management Summit on Twitter and LinkedIn. #GartnerSEC Gartner Security and Risk Management Summit Online access for one year Missed a session? Have no fear. Your ticket includes keynotes and track sessions not just those you saw live! Gartner Events On Demand provides streaming access of recorded presentations to all paid attendees for one year. Watch your favorites again and see those you missed from any Webconnected device. Visit gartnereventsondemand.com. Top 5 most-attended sessions G16. Using Storytelling to Get Your Risk Management Message Heard Jeffrey Wheatman, Director F16. GRC: What Works, What Doesn t Paul E. Proctor, Vice President and Distinguished Analyst E7. Securing Sensitive SaaS Using Cloud Access Security Brokers Ramon Krikken, Vice President D15. How to Build a Globally Legal and Successful BYOD Program John Girard, Vice President and Distinguished Analyst E9. Mobile Device Security: A Comparison of Platforms Patrick Hevesi, Director Fantastic event for any and all security professionals! Matthew Mudry, Director, IT Architecture and Security, Castleton Commodi 8
Snapshot of attendees Who participated in the 2015 conference? Top job titles C-level 22% 22% Director 4% Analyst 10% Vice President 20% Management Top job roles 1. Security and risk management 2. Infrastructure and operations 3. CxO 4. Enterprise architecture 5. Product management/marketing Top industry sectors 18% Banking, finance and insurance 17% Government 11% Manufacturing 7% Healthcare 3% Education 9
Gartner Security & Risk Management Summit 2015 June 8 11 National Harbor, MD gartner.com/us/securityrisk Thank you to our sponsors Premier Platinum 10
Thank you to our sponsors Platinum Silver Absolute Software Corporation Boldon James Cyphort Inspired elearning Accellion Box Darktrace Interset Software, Inc. Accelops BrandProtect Inc. Digital Defense, Inc. Invincea, Inc. Agari BrightPoint Security Digital Guardian ISACA Agiliance Brinqa Domain Tools Kaspersky Lab AhnLab Camber Corporation EdgeWave Lancope Alert Enterprise Caspida Elastica, INC. LastPass Algosec Centripetal Networks Endgame Learning Tree International Alott Communications CenturyLink ESET North America LockPath Arbor Networks, INC. Certes Networks Exabeam LogRhythm Arxan Technologies Cigital FireLayers Lookout Aujas Information Risk Services Click Security Firemon Lunarline Avatier CloudLock Fortscale ManTech Avecto BAE Systems Barracuda Networks Bay Dynamics, Inc Beyond Trust Software, INC Bit9 + Carbon Black Bitglass Bloomberg Vault Blue Coat Systems CloudPassage Cognizant Technology Solutions Continuity Logic Contrast Security Courion Corporation Cyber adapt, Inc. Cybereason Cylance Cymmetria General Dynamics Fidelis Cybersecurity Solutions Global Learning Systems Google Inc. Gurucul Hexis Cyber Solutions, Inc. Hitachi ID Systems, Inc. ICF International Identity Finder Menlo Security Modulo NetIQ Netskope Neustar Niara NSFOCUS Information Technology Co., Ltd. ObserveIT 11
Gartner Security & Risk Management Summit 2015 June 8 11 National Harbor, MD gartner.com/us/securityrisk Thank you to our sponsors Silver Okta Protegrity Security Innovation ThreatTrack Onapsis Quotium Securonix Thycotic OpenDNS Rapid7 SentinelOne Triumfant Palerra Recorded Future Simieo Solutions TRUSTe Panda Security RedSeal Spikes Security Tufin PhishLine.com Resilient Systems SSH Communications Security Varonis Systems, Inc. PhishLabs Return Path Stroz Friedberg Verisign Phishme RSAM Synopsys, Inc. Vidder Platfora Safenet Tanium Virtustream Portnox Secunia Tenable Network Security, Inc. Vormetric PREVALENT, INC. Security Compass The Media Trust Waratek Prevoty Security First Corp ThreatSim whitecryption Corp. ProtectWise Security Mentor ThreatStream Wombat Security Technologies Association Partners Media Partners EXECUTIVE NETWORK WITI PRIMAR Y LOGO-CMYK 12
Post-event resources Customizable post-event worksheet Take a moment to complete your own post-event trip report, a valuable resource for future reference and a great way to share with colleagues what you learned. Click here to access the trip report worksheet. Learn more with relevant research Want to learn more about the topics that interest you most? Turn to the end of each session presentation for a list of related Gartner research notes. Select Gartner research is available on demand at gartner.com. This conference is a great venue for meeting cyberpractitioners from various sectors and comparing experiences. Upcoming events Gartner Security & Risk Management Summit 2015 July 13 15 Tokyo, Japan Gartner Security & Risk Management Summit 2015 August 24 25 Sydney, Australia Gartner Security & Risk Management Summit Summit 2015 September 14 15 London, U.K. Gartner Security & Risk Management Summit 2015 November 2 3 Dubai, UAE Gartner Identity & Access Management Summit 2015 December 7 9 Las Vegas, NV Sherrill Nicely, CISO, CIA The World s Most Important Gathering of CIOs and Senior IT Executives Learn more } 13
EARN CPE CREDITS Earn CPE credits toward (ISC)2, ISACA and DRII certification Gartner Security & Risk Management Summit 2016 June 13 16 National Harbor, MD gartner.com/us/securityrisk Join us again in 2016! Register for this must-attend security and risk management event at gartner.com/us/securityrisk or call 1 866 405 2511 Hot topics Application, network and infrastructure security Planning for IoT security Digital business security and risk management Organizational resilience through BCM Risk management and compliance 2015 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner and ITxpo are registered trademarks of Gartner, Inc. or its affiliates. For more information, email info@gartner.com or visit gartner.com.