Gartner Information Security Summit 2009 by sa30230

VIEWS: 104 PAGES: 16

									Register by 24 July 2009 and save €500

Gartner Information Security
Summit 2009
Managing risk and securing information: your role, your priorities, your tactics

Thought Leader Keynote      Guru Keynote

Spencer Kelly              Professor Fred Piper
Technology Tourist,        Information Security Group,
Presenter of the BBC’s     Royal Holloway,
international technology   University of London
programme Click

Summit Co-Chairs

                                                                    21 – 22 September | London

Jay Heiser                 Tom Scholtz
Research VP, Gartner       Research VP, Gartner           
2   Register today at

    Page 4   Plenary                                                       Your Summit — Your Agenda!
    Page 5   Foundation Sessions and Gartner Analyst/
             User Roundtables                                              With a wealth of sessions, it is helpful to have a
                                                                           tool to build your own agenda focusing on your
    Page 6-9 Summit Program: The Tracks and Sessions                       own needs. The online Agenda Builder helps you
    Page 10  End-User Case Studies                                         select the relevant sessions and schedule them
                                                                           in your calendar, and to build in networking and
    Page 12  Gartner Research
                                                                           reflection time into your schedule.
    Page 13  Maximize Your Summit Experience
                                                                           Go to ab/ to view the full
    Page 14  Solution Showcase                                             agenda and plan your on-site schedule.
    Page 15  How to Register

    Managing risk and securing information:                                Key Benefits that you will
    your contribution to the success of your                               derive from attendance at the
    organization!                                                          Gartner Information Security Summit:
                                                                           • Meet business needs: protect and
    We are living in challenging times. Money is tight, and                  support critical systems and processes
    cyber-risks are increasing. As an information security or                to ensure delivery of the organization’s
                                                                             overall objectives
    risk professional, you have a special contribution to make
    to the success of your organization. Traditional emphasis              • Make wise investments: gain the
                                                                             most up-to-date understanding of
    has been on effectiveness in preventing security breaches                the vendor landscape allowing you to
    and incidents, but the focus is increasingly turning toward              assess your best-fit approaches
    the efficiency with which this can be achieved. It might                • Sound deployment of resources:
    sound like alchemy, but you have an important duty to                    learn where to place your time, energy
    simultaneously improve security, while reducing costs.                   and budget in order to achieve quick-
                                                                             wins and clear results
    This year’s Gartner Information Security Summit                        • Make the business case: explain to
    emphasizes the role of the individual practitioner, which                c-level executives where and how your
                                                                             work in security has delivered value and
    is becoming increasingly specialized. What should you                    why it is worth the investment
    be doing, and what are the best practices of your peers?
                                                                           • Safeguard clients: both internally and
    The event will provide the information and networking                    externally individuals rely on you and
    opportunities to help you do your job better.                            need to have full confidence if you are to
                                                                             have their support at every step
                                                                           • Deepen tactical knowledge: you
                                                                             know what your problems are...come
                                                                             meet the Gartner analysts and learn
                                                                             what the solutions look like
                                                                           • Strengthen strategic vision:
                                                                             advantage is gained by knowing where
    Jay Heiser                                      Tom Scholtz              to jump and how soon. Don’t learn to be
    Research VP, Gartner                            Research VP, Gartner     first, learn to be the best
                                                                           • Develop your most vital resource:
     Summit Timetable                                                        increased expertise, broader awareness at
                                                                             all levels, connections within the industry,
                                                                             and ways to make an impact; the Gartner
      Sunday 18:00 - 19:30                             Networking            Summit experience is designed to make
      Monday 07:30 - 20:00                              Reception:           you an asset to your organization and a
                                                                             true knowledge worker.
      Tuesday 07:30 - 17:30                            18:30 - 20:00

Customize your agenda!
To assist you in making the most of your attendance we have tagged
a series of sessions to create two recommended agendas for you -

        “Your How To Guides” — put knowledge into action with the
        practical implementation advice offered in these sessions.

        “Your Technology Strategy” — a suite of sessions giving
        you full briefings on a core selection of security and
        risk technologies.

                                                         What’s New at the Gartner Information
Advisory Board                                           Security Summit?
The Gartner Information Security Summit                  • Practical, Actionable Know-How:
operates with the advice and support of a number
                                                           In the present climate, your value relies not on who
of end-user representatives who help ensure that
the content and direction of the Summit fits the            you are but on what you can deliver effectively. This
needs of our intended audience.                            year’s agenda features five presentations telling you
                                                           the “how-to” approaches for effective programs in
Paul S. Raines,
Head IT Information Security,                              IAM, DLP, GRC, vulnerability management and your
Organization For The Prevention Of Chemical Weapons        overall security structure.
Neville Hinchliffe,                                      • Rising Compliance Issues:
LUIM Risk & Resilience Manager,                            The agenda deals directly with incoming regulatory
London Underground
                                                           requirements such as Solvency II, IFRS and SEPA,
Richard Astill,                                            including cross-border issues and gives an exclusive
Head of IT Risk Management & Assurance,
AON                                                        analysis of how you should go about preparing for
                                                           other compliance challenges.
Peter Tiffany,
IT Security Officer,                                      • Frameworks for the Organization:
Department Of Health                                       This year’s agenda features a demonstration
Mathieu Ransijn,                                           of ITILv3 for security, a real-world case study
Global Information Security Operations Manager,            of ISO27001/ISO27005 in action and the
                                                           implementation of a risk management framework.
Joe Dauncey,
Information Security Manager,                            • Advanced Practitioner Insight and
Scottish & Southern Energy                                 Professional Development:
                                                           Take your organization and your own career
                                                           to the next level… Let Gartner help you with
                                                           everything from a full self-assessment workshop,
                                                           our maturity benchmark session showing global
                                                           organizational standards and how to advance
                                                           up the chain, an advanced workshop on risk
                                                           management and a Gartner guide to how you
                                                           can make best use of security qualifications and
                                                           accreditation for your CV.

    Register Now and builder your agenda at
4   Register today at

    Plenary Sessions

    Plenary Sessions
    Milestones and Monsters                              Making the Real World Trade-Off:                  Gartner Strategy Keynote:
    The Web has levelled the playing field. Now,          Balancing the Costs of Security                   Your Role in Information Security
                                                         and Insecurity                                    Information security only started maturing in
    anyone can come up with a great idea, and
    unleash it on the world. And in an age where         Over the past 25 years the practice of            the 1990s, when distributed computing and
    consumer electronics is massive business,            information security has made many advances       pervasive networking resulted in a dramatic
    every new invention is a potential goldmine.         but has not been an unobstructed march            increase in business dependency on IT.
    The best thing is, to capitalize on it, you don’t    to victory over insecurity; in some ways, the     This coincided with a dramatic increase in
    even have to have the idea yourself. You just        organization is more insecure than ever. As       risk. Maturation implies change. Using other
    have to know how and when it could change            best practice and theory have come into           examples of IT maturation, we can better
    the world, and be ready. We start with a look        contact with the day-to-day reality within        understand what an information security
    at some of the technology past milestones            organizations, it has been demonstrated           professional will look like, starting five years
    that have given rise to the success stories of       time and again that security is not an all-       from now.
    today, and a look ahead at some which have           encompassing end goal; it is a series of          • What are the key roles and responsibilities
    yet to happen — the ones that you may be             evolving compromises and ongoing choices.            of information security practitioners today?
    able to make a few zeroes on.                        Professor Fred Piper, internationally respected   • How will those key roles change over the
    And then it’s on into the dark side — after all...   for his contributions to the advancement             next five to seven years?
    innovation isn’t always for the greater good.        of information security, will explore how to
                                                         balance the needs of security with the needs      • Which direction should you set for your
    As more and more real life and real business                                                              career in information security and risk?
    takes place online, there are real opportunities     of a functioning organization and the people
    for organized criminals to cash in. So, who          who work within it. He will argue that the role   Christian Byrnes, Gartner
    are they? How are they structured? And               of the security professional is to demonstrate
    how are they likely to hit you?                      to the organization exactly what trade-offs
                                                                                                           Gartner Closing Keynote:
                                                         are involved, and to govern the relationship      The Future of Information Security
    Place yourself in the hands of the perfect guide
                                                         between the policies set and their practical
    — one who has investigated cutting edge                                                                Infosec managers who forget the past are
                                                         impacts on the people who have to work
    cybercrime, and demonstrated how easy it is                                                            doomed to repeat it. We cannot understand
                                                         with them.
    to command an army of zombie machines to                                                               the risk implications of continuous evolution
    do anything you want.                                Looking to the here and now, it is time to        of information media outside of the context
                                                         define security policies that take into account    of the last 6000 years of information
    Spencer Kelly, Technology Tourist, Presenter
                                                         the true costs and are acceptable to the          security failure. Cuneiform tablets resulted
    of the BBC’s international technology
                                                         people who will have to act within their          in a rash of Babylonian identity frauds,
    programme Click
                                                         proscriptions; if you fail to strike the right    Gutenberg launched a four-century debate
                                                         balance those same people will turn out to be     on intellectual property protection, and
                                                         your key enemy and your greatest threat.          cyber warriors committed man in the middle
                                                         Professor Fred Piper, Information Security        attacks in 1862. As digital technology
                                                         Group, Royal Holloway, University of London       becomes increasingly complex, and IT
                                                                                                           continues to lose control over information,
                                                                                                           the loss patterns of the past are repeating
                                                                                                           themselves at an exponentially accelerating
                                                                                                           rate. Only by understanding the lessons
                                                                                                           of the past can we prepare ourselves to
                                                                                                           thrive in a future of increasingly abstract and
                                                                                                           distributed trust mechanisms, a world of
                                                                                                           sophisticated anonymous attacks, in which
                                                                                                           the end user will inevitably become our first
                                                                                                           line of defense.
                                                                                                           Jay Heiser, Gartner

                                      Foundation Sessions and
                             Gartner Analyst/User Roundtables

Begin your Summit experience with a full briefing on the latest priorities and
essential updates relating to three key subjects featured within the Summit.
As an experienced professional wanting a fast refresh on the Gartner
perspective, or as a newcomer wanting a snapshot of what you need to
know, the Foundation Sessions form a solid basis for your time on-site.

Foundation Sessions
Legacy Information Management:                   The IT Security Manager’s Guide to                 Articulating the Business Value of
Control Risk, Improve Security and               Enterprise Risk Management                         Information Security
Save Money                                       According to a Gartner survey, enterprise          The security management program is a big
Legacy data creates substantial costs for        risk management is one of the top three            ticket budget item. As budgets begin to
storage and maintenance despite much             initiatives affecting IT security professionals    tighten it will become increasingly difficult to
of it being outdated and redundant. New          in 2009. Risk comes in many forms and              justify security expenditures. This presentation
techniques and technologies can help with        can have a serious impact. As corporations         will share.
information retention management, which          move to real time, so does risk. Limited           • Strategies for obtaining and maintaining
is the bedrock of risk mitigation, information   data, complex interdependencies and                   executive support for security initiatives
governance and overall data security. With       organizational silos inhibit risk identification,
                                                                                                    • A practical model for communicating the
legal and regulatory oversight bodies, as well   measurement and management. In order
                                                                                                       business value of an information security
as the courts expecting companies to clear       to retain stakeholder trust, establish
up this undisciplined data growth, it’s time     transparency while protecting privacy and to
                                                 meet regulatory requirements, an integrated        • Techniques for effective cost/benefit
you start the long journey to better manage
                                                 approach to enterprise risk management                analyses for security project investments.
your data.
                                                 must be applied.                                   Tom Scholtz, Gartner
• What is the extent of the problem?
                                                 French Caldwell, Gartner
• How does it relate to governance risk and
Debra Logan, Gartner

   Gartner Analyst/User Roundtables
   Gartner Analyst/User Roundtables are your chance to network with a Gartner analyst
   and a group of your peers; to get ideas and answers from organizations experiencing
   similar challenges.
   Your Role as CISO: 2010-2012                                           Assessing Outsourcing and External Service Risks
   Christian Byrnes, Gartner                                              Jay Heiser, Gartner

   Managed Security Services Providers                                    Security Information and Event
   Carsten Casper, Gartner                                                Management
                                                                          Mark Nicolett, Gartner
   Remote Access Authentication
   Mashup/Meltdown                                                        Contemporary Issues in IAM
   John Girard, Gartner                                                   Ant Allan, Gartner

   Protecting the Endpoint
   Peter Firstbrook, Gartner

        For more information about the Foundation Sessions visit
6   Register today at

    Summit Program
    Presented by both Gartner analysts and invited guest speakers these sessions offer the very latest topical updates
    and actionable insights on the subjects most critical to your organizational development and innovation.

    TRACK 1:

    A Secure Infrastructure is no Luxury

    Today’s highly-connected environment simultaneously offers huge business advantages and significant
    risks. You not only have to maintain network firewalls, secure Web gateways and endpoint protection
    platforms, but you have to support teleworkers and partners. Virtualization and cloud security challenge
    your established perimeters while the bad guys keep innovating.

    Protecting the Endpoint From the                Secure Remote Access For Non-                    Securing the Web Gateway
    Malware Pandemic                                Securable People: Access Protection              The Web is simultaneously becoming more
    The expansion of endpoint protection from       in an Outsourced, Contracted,                    important and more dangerous to modern
                                                    Partnered World
    traditional signature-based detection and                                                        business. Web-based applications and
    personal firewalls, to data protection and       Contractors are less expensive on the            services such as Skype and
    PC life cycle tools is well underway. This      ledger than full-time employees. Business        have the ability to cut costs and improve
    session will examine what makes sense in        partners must be connected to make               productivity, yet few organizations have
    an endpoint security package and which          just-in-time decisions. Companies give           adequate solutions to effectively manage and
    vendors are leading the way. We will also       control of critical internal systems to users    filter Internet traffic flooding the LAN.
    examine the converging roles of operations      who are not under direct supervision.
                                                                                                     • What are the trends and implications of the
    and security and list the top procedural        Relationships span political boundaries.
                                                                                                        evolving Web applications?
    changes that will enhance the security          Enforcement of data protection and SLAs
    posture of endpoints.                           are acts of faith. We take stock of the          • What are the key features and requirements
                                                    vulnerabilities caused by extranet access           of a secure Web gateway?
    • What are the advantages of security and
       operations integration?                      and recommend a survival plan.                   • Which vendors will your organization rely on
                                                    • What are the extranet security and                to secure the Web gateway?
    • What features, configuration options and
       procedural enhancements will be critical       privacy challenges through 2014?               Peter Firstbrook, Gartner
       for future endpoint security success?        • How will business integrity be maintained
    • Which vendors are leading the way and           when users may never be seen?                  Trusted Portable Personalities: Case
       how to negotiate effectively to get the      • Which contractual, technological and           Studies To Mix Security and Portability
       best deal?                                     managerial practices will be most              Every company struggles to adapt to rising
    Peter Firstbrook, Gartner                         effective to maintain access control?          demands for portable information access
                                                    John Girard, Gartner                             without increasing investments in supervision
                                                                                                     and dedicated workstations. Data loss
              Planning for the Content Aware                                                         prevention is failing under an avalanche of
              Enterprise: 2009 DLP Magic                                                             portable media devices and Internet portals.
              Quadrant                                          Gartner Magic Quadrant
                                                                Power Session: Getting What          These demands extend far beyond the
    The content aware data loss prevention                                                           question of employee access to encompass
                                                                you Want From the Security
    market continues to evolve. Organizations                   Market Players                       sharing of legally sensitive data and
    are adjusting to a strategy where they can                                                       competitive intellectual property.
    dynamically apply policy at the time of an        With cost rationalization and efficiency high
                                                      on the corporate agenda for 2009-2010,         • How can corporate data be productively
    operation. Data loss prevention technologies
                                                      learn from the Gartner analysts who are          used on noncorporate workstations?
    are increasingly common compliance tools for
    many organizations. However, many struggle        best placed to give you what you need          • What are the decision factors that determine
    when it comes to selecting and deploying          and whether there are opportunities              the best methods for secure, portable
    meaningful content-aware DLP solutions and        for you to achieve a better deal or              remote access?
    achieving their intended compliance goals.        a renegotiated arrangement in this             John Girard, Gartner
                                                      climate. The session will cover the key
    • What should an enterprise data loss             technology providers in SIEM, user
      prevention strategy look like?                  provisioning, content monitoring and                     Using Vulnerability
    • Who are the leaders in each market              filtering, data loss protection, personal                 Management to Operationalize
      segment?                                        firewalls and mobile data protection.                     Security
    • What five points must organizations              • What trends and product features             Security policies are most effective when
      consider when deploying DLP solutions?            contributed to the 2009 Magic                assessment and remediation processes
    Paul Proctor, Gartner                               Quadrant positioning?                        are implemented by network, desktop and
                                                                                                     server administration groups. The security
                                                      • Which vendors have the sharpest
                                                                                                     organization needs to keep control of
                                                        vision of where the market is going?
                                                                                                     policy and audit while it runs projects to
                                                      • Where are the dangers and                    operationalize selected assessment and
                                                        opportunities in the security                remediation functions. This presentation
                                                        technology market?                           provides guidance on how to use operations
                                                      Gartner Analysts:                              to improve the effectiveness and efficiency
                                                      Peter Firstbrook, John Girard,                 of IT security.
                                                      French Caldwell, Paul Proctor                  Mark Nicolett, Gartner


Protect Data and Applications to Deliver Higher Business Value

Attackers are increasingly concentrating on data and applications because “that’s where the money is.”
But it’s not just a matter of protection against financial fraud. Privacy demands protection of personal
data. Government regulations demand activity monitoring. Business continuity demands robust
and reliable backup and recovery. Security managers must address these needs by orchestrating
vulnerability management and IAM initiatives to maximize effectiveness and efficiency.

           The Elements of an Effective          • Exactly what is DLP and how much of it       The Root to Happiness: Best Practices
           Identity and Access                     do you need and in what form?                for Managing Superuser Privileges and
           Management Program                                                                   Shared Account Passwords
                                                 • How and what kind of DLP should be
Identity and access management (IAM)               leveraged to maximize effectiveness within   Organizations are under increasing
can deliver real business value beyond its         organizations at the lowest cost and in      pressure to reduce the number of
contributions toward efficient and effective        minimizing the Christmas tree effect?        users having permanent full superuser
security, risk management and compliance.                                                       privileges. In addition, there is pressure to
                                                 • What are the key deployment lessons
However, realizing that value demands                                                           implement better control over, and greater
                                                   learned from successful deployments?
sound program management. To build an                                                           accountability for, use of shared accounts
IAM infrastructure that will meet your needs,    Eric Ouellet, Gartner                          with like privileges.
you must orchestrate a variety of different                                                     • What are the risks of unconstrained
technologies.                                    G14: The Dawn of Content Aware IAM               use of superuser privileges and shared
• What are the drivers for and benefits from      Content awareness is a relatively new idea       accounts?
  IAM?                                           under evaluation in identity and access        • What are the best practices for managing
• What are the key elements of an IAM            management (IAM) circles. Originally a           superuser privileges and shared accounts
  program?                                       capability incorporated within data loss         in a controlled and auditable manner?
• What is the range of IAM technologies:         prevention (DLP) offerings, it can deliver     • What are the most effective tools for
  which are core and which fringe, which         new capabilities within IAM suites. This         managing superuser privileges and shared
  tactical and which strategic?                  presentation will look at:                       accounts?
Ant Allan, Gartner                               • Content awareness in the context of IAM      Ant Allan, Gartner
                                                 • Initial and long term vision for content
                                                   awareness integration
User and Resource Access Monitoring to                                                                     Securing Your Organization
Improve Security                                 • How organizations should plan for the                   With Data Scrubbing
Today’s threat environment is dangerous            introduction of content                                 Technologies
because attackers are targeting your highest     Eric Ouellet, Gartner                          Organizations are quickly becoming aware
value data, and quiet because attackers                                                         of the risks associated with unintended
want to capitalize on a breach for as long as                                                   embedded metadata information in
                                                 Role Management Evolves: Contextual
possible. In many cases, the only signal that    Entitlement Administration                     documents shared with clients and partners.
you will have of a breach is abnormal user                                                      With the potential risk exposure being very
activity or resource access. Come to this        Enterprises frequently struggle with how to    significant, organizations need to consider
presentation to learn how user and resource      control access — who has it, what level,       data scrubbing solutions.
access monitoring technologies (SIEM. DAM,       and to what? Role life cycle management
                                                 is key to many successful user provisioning    • What is data scrubbing and why is it
and so on) improve security, compliance and                                                        important?
efficiency.                                       and IAM governance implementations,
                                                 and is itself evolving to a new form of        • What type of data scrubbing offerings are
Mark Nicolett, Gartner                           “entitlement administration.”                     currently available?
                                                 • What are the key elements?                   • What is the current legal impact and
          Planning for DLP Deployments           • Who are the key vendors and what do             accepted best practice for enacting a data
          for Compliance and Intellectual           they offer to customers today?                 scrubbing program?
          Property Protection                                                                   Eric Ouellet, Gartner
                                                 • What’s the difference between role
Organizations large and small are planning          management and authorization
to deploy DLP to better control and protect         management?
sensitive assets at the perimeter, within data
stores and document management systems,          Ant Allan, Gartner
and at the endpoints. As these tools become
mainstream within organizations they will
impact and challenge traditional views of data
classification, protection and access controls.

        Register Now and builder your agenda at
8   Register today at

    Summit Program

    TRACK 3:

    Meeting Expectations for IT Risk and Compliance Management

    What level of business risk is represented by partnering arrangements or dependence upon SaaS or
    cloud computing providers? Will outsiders properly secure your data? Can you efficiently demonstrate
    that your organization meets all regulatory and legal obligations in every country? Today’s IT risk
    manager needs to be an enabler, helping the line of business and IT to make effective decisions about
    which risks to accept and which to avoid.

    One Nation’s Compliance Equals                                Stormy Weather: Assessing the                   IT GRC Management
    Another’s Violation: E-Disclosure and                         Security Risks of SaaS Products                 Security organizations are not
    Privacy Issues Heat Up                                        and Cloud Services
                                                                                                                  exempt from the struggle to link
    Historically, the argument has been that           You need visibility into your supplier’s         IT to the business. In fact this linkage is
    the European statutes on data protection           processes to ensure the appropriate level        required to: evaluate risk with business
    and privacy have not been rigorously and           of information protection. You’ll also need      context; reduce the cost of compliance
    consistently enforced and the disclosure           to assess the security features and service      reporting; and to produce metrics to
    of potentially relevant evidence carried no        levels and how well they’re implemented          measure the effectiveness of security
    real penalty. Despite the change in U.S.           and maintained. Proven risk assessment           programs. Come learn how IT GRCM
    administration, the courts are unlikely to         practices can provide a useful level of          technology can be used to evaluate IT risks
    become similarly friendly. IT practitioners will   assurance that a product or service is           and to efficiently demonstrate that your
    find themselves caught in the middle.               reliable, including its capabilities to resist   organization meets regulatory and legal
    • What relevant laws and statutes do               both accident and human manipulation.            obligations.
      European headquartered companies need            • What types of information facilitates          Mark Nicolett, Gartner
      to be mindful of?                                   provider transparency, and how do you
    • What can IT do to help mitigate the                 get it?
      problem by providing local facilities?           • What are the three basic ways to assess                  Assembling a GRC Solution:
                                                                                                                  Beyond Marketscopes and
    • Are there best practices or technological           the risk associated with a supplier?                    Magic Quadrants
      approaches that can be called upon to            • What are the compliance concerns               Most vendors providing financial, IT
      make the problem more tractable?                    associated with cloud computing?              operations and IT security solutions
    Debra Logan, Gartner                               Jay Heiser, Gartner                              claim to have a GRC solution, and there
                                                                                                        are specialist GRC vendors too. Learn
                                                                                                        the differences in technology-enabled
    Managing Compliance in a                           Getting Ahead of Regulations:
    Pan-European Environment                           Why Compliance Isn’t Enough                      approaches to GRC, and how you can
                                                                                                        assemple a comprehensive GRC solution.
    New regulations such as Solvency II,               Compliance has become quite complex:
    IFRS or SEPA are a peculiar challenge for          audit requirements, accounting standards,        • How can Gartner methodologies help in
    financial services providers which act in a         encryption laws, electronic signatures,            architecting the GRC solution?
    pan-European environment and operate               information security standards, privacy laws,    • What are the architectural principles that
    a heterogeneous IT landscape. In this              breach notifications, document retention            can advance GRC maturity in support of
    presentation we will discuss root causes and       rules and e-discovery vary from country            business performance?
    consequences of such compliance activities.        to country. We will give an update on the        French Caldwell, Gartner
    In addition we will discuss best practices to      regulatory landscape and analyze what these
    overcome the challenges.                           requirements mean for business and IT.
                                                                                                        Turning Risk Management Into a
    • The surging wave of pan-European                 • What makes the regulatory landscape so         Competitive Weapon for Financial
       regulations                                        diverse across different countries?           Services Organizations
    • Business and IT implications for financial        • What do regulations mean for IT                Organizations around the world are facing
       services providers                                 departments?                                  many new regulations and the latest
    • How to deal with the compliance                  • What are the key elements of an IT             economic crisis will most likely lead to
       challenges                                         compliance program?                           further regulation. Several IT organizations
    Juergen Weiss, Gartner                             Carsten Casper, Gartner                          are struggling to cope with these challenges
                                                                                                        and are looking for ways to create additional
                                                                                                        business value out of these efforts, which
                                                                                                        goes beyond pure compliance. In this
                                                                                                        presentation we will introduce some
                                                                                                        practical guidelines and case studies to
                                                                                                        show how to overcome this dilemma.
                                                                                                        • Implications of re-regulation for risk
                                                                                                        • Overcoming the conflict between
                                                                                                          compliance and business value
                                                                                                        Juergen Weiss, Gartner


Leading the Security and Risk Management Team Through
Turbulent Times
How do you align security and risk management with the business? How do you get staff to comply
with policy? How do you articulate the business value of security? How do you balance the budget?
Leading the information security or risk management function is a special responsibility, requiring a mix
of technical, political and social skills.

Transforming from CISO to IT CRO                   Report to the Board: Five Practical
As enterprises reform their compliance             Tips to Link Risk and Security to                 Gartner Workshop Session: Security
                                                   Corporate Performance                             Maturity Self Assessment
efforts from reactionary to risk-oriented,
chief information security officers (CISOs)         A board wants to know that the organization       Assessing the maturity of security
and other IT risk management and security          is appropriately protected against reasonably     management processes is the
professionals will need to follow along or         anticipated risk. CIOs, CISOs and RMOs            foundation of continuous improvement
will find themselves deemed as irrelevant           struggle to link risk management efforts in       in security performance. Consistent
to the business. However, CISOs who                security, privacy, business continuity and        reporting on process maturity supports
develop competencies in enterprise risk            compliance to the value they provide at line-     increased executive awareness and
management (ERM) and business analysis             of-business and executive levels. A handful       support. Furthermore, process maturity
will be able to align IT risk management with      of companies have figured it out and these         can also be interpreted as an indicator
business performance — for the benefit of           five practical tips can help you solve this        of the risk posture of the organization.
both.                                              challenge.                                        • How should organizations define a
• What are the relationships between               • What do boards of directors and line-             security and risk process catalog?
   IT security, IT risk management and                of-business executives want from risk          • What are the steps for formalizing
   enterprise risk management?                        management, GRC and security?                    security processes?
• How will business risks be better                • How do you map key risk indicators into
   managed if IT security professionals play a        key performance indicators to support          (Audience Limited to 40 - 1hr30minute session)
   direct role in enterprise risk management?         corporate performance?
                                                                                                     Christian Byrnes, Paul Proctor, Gartner
• What are the skills and process disciplines      • How can you present a defensible case
   needed for IT security professionals               for the value and effectiveness of risk
   to contribute to the enterprise risk               management to executive audiences?
   management program?                             Christian Byrnes, Gartner
                                                                                                     The Risk Program Maturity
French Caldwell, Gartner                                                                             Benchmark: How Does Your
                                                   Integrating Security Management Into              Organization Stack Up?
Know IT Security? Prove It! Developing             ITIL v3 Strategies: Case Study and                Gartner has surveyed several hundred
Your Career With the Right Security                Best Practices                                    organizations, in different geographies
Qualification                                       Version 3 of ITIL takes a life cycle view of      and verticals, and of different sizes
In times when even venerable IT security           service management, as opposed to the             across 12 dimensions of program
jobs may be at risk, you need a little bit extra   functional approach of previous versions.         maturity. Come to this presentation to
that makes you stand out from the crowd.           While this is a major improvement in              find out how you compare.
Having a security certification can help, but       approach, it does have major practical            Paul Proctor, Gartner
it can also pigeon hole you in terms of your       implications on IT security, risk and
perceived skills. When just about everyone         compliance strategies. This presentation will
has some certificate, what can you do to            look at:                                        No More Dr No: A Framework for
                                                                                                   Positive Information Security Management
make sure you have the right one?                  • What’s new in ITIL v3, and how it impacts
                                                     security management strategies                Security controls are inherently restrictive,
• What are the benefits of personal
                                                                                                   and consequently the nickname of many
   certifications that exist today?                 • A case study of how a multinational           organizations information risk and security
• How do training, exam, peer review and             organization has integrated its security      management is “Dr No.” However, there are
   continuous education influence the value           and risk management program into its ITIL     a number of governance, process, cultural
   of certification?                                  v3 program                                    and technological actions that information
• What skills and certifications should an          • Best practices in using ITIL v3 to align      security leaders can implement to align their
   employer look for when optimizing the             security and service management               programs closer to business strategies.
   team structure?                                   strategies.                                   • The symptoms, causes and consequences
Carsten Casper, Gartner                            Tom Scholtz, Gartner                            • The governance, process, cultural and
                                                                                                     technical characteristics of a business-
                                                                                                     aligned security practice.
                                                                                                   Tom Scholtz, Gartner

        Register Now and builder your agenda at
10   Register today at

     End-User Case Studies

     The case studies bring practitioners’ own experiences at leading organizations from a variety of
     industries and countries to the event. They demonstrate the challenges, adopted solutions, chosen
     processes, and resulting benefits that you can apply to your own environment. Best practice examples
     and real-world know-how showing you what you want to do — and what to avoid.

                                                         A Practical Integration of ISO 27001
       The Gartner Best Practice Council                 and ISO 27005 for Superior Security                Advanced Security Practice
       Panel Discussion: Meeting the                     Management                                         Workshop: Risk Management — for
       Business Half Way                                 The case study illustrates how an organization     the Advanced Information Security
                                                         with many varying lines of business can define
       Safeguarding information in a corporate           and link together in a practical way               This workshop will begin with a bottom
       IT environment — a ‘consumer-centric’             • A common mandatory guideline and                 up view from within IT of the current
       arena of changing threats — requires                baseline for information security based on       state of IT risk management. We will
       an agile and responsive approach from               ISO 27001                                        move forward by taking a look at the risk
       the security team. In this interactive                                                               landscape facing all organizations. This
                                                         • A mandatory information classification
       debate, hear how a number of leading-                                                                will highlight the gaps that are all too often
       edge organization’s have approached                                                                  present between where organizations are
       this essential are in terms of strategy,          • A information security risk assessment
                                                                                                            and where they need to be. We will go on
       governance and communications.                      process based on ISO 27005.
                                                                                                            to explore the resources readily available
       Richard Barber, IT Security Strategy              Jan A Svensson, Director Information               to organizations to enable them to close
       & Risk Manager, British American                  Security, City of Göteborg                         the gaps and effectively manage IT risks.
       Tobacco                                                                                              Roger Southgate, Leader, London
       Ian Mason, Gartner Best Practices                 Implementing Network Access Control                CobiT Development Group and
       Councils EMEA                                     for the Swiss Federal Railways                     President, IT Governance
       Casimiro Juanes, Head of IT Security,
                                                         This session will highlight the common             Standards, ISACA
                                                         threats for large enterprise networks and
       Paul Jervis, CISO, RWE nPower
                                                         how a Network
                                                         Access Control (NAC) solution can help           Security Essentials for the 21st Century:
     Instituting an IT Risk Reporting and                minimize the risk. The focus will be on          Security Leaders not just Managers
     Management Framework at Euroclear                   evaluating and implementing a NAC-               Your professional development objectives
     Gaining management acceptance was                   Solution in a large and heterogeneous            should ensure you learn how to move from
     positively affected by linking risk to specific IT   environment:                                     ‘pushing’ employees toward security objectives,
     processes — Euroclear created a consistent          • Key points to consider when evaluating         to leading and taking them with you.
     framework containing flexible reporting.               a NAC-Solution                                 • Becoming a true leader drawing employees
     • Addressing risk and reporting at the              • Overview of the solution chosen by the            toward security goals
        strategic, operational and tactical levels         Swiss Federal Railways                         • Securely enabling the organization in an
     • Ensuring clear reporting to enhance               • Sharing our hands-on experience in                inherently insecure environment
        acceptance and understanding.                      implementing NAC                               • Moving from technology focus to ‘soft skill’
     Olivier Nijland, IT Risk Manager, Euroclear         Alexander Hermann, Security Project                 people focus
                                                         Manager, Swiss Federal Railways                  Jim Heard, Information Security Manager,
                                                                                                          Centrica Energy
     Using DLP to Prevent Misuse of
     Confidential Information
     Banc Sabadell Group will present their
     experience of selection and implementing a
     solution in this field.
     • What to do before deploying a DLP solution
     • Measuring our success in help detect,
       monitor and prevent misuse of data
     • Best practices for formulating the correct
     Santiago Minguito, Information Security
     Manager, Banc Sabadell Group

             Register Now and builder your agenda at

                                Media and Accreditation Partners

Use the Gartner Information Security Summit to advance your professional and personal development. At the 2009 Summit we are
partnering with key certification providers within this subject area to allow you to count your attendance toward your qualifications. You will
also be able to meet and learn from these organizations on-site as part of your Summit experience so you can gain a better understanding
of the options open to you as you seek to develop in your chosen career.

ISACA, previously known as the Information Systems Audit                SANS is the most trusted source for information security
and Control Association, now goes by its acronym only, to               training and certification in the world. It also develops,
reflect the broad range of IT governance professionals it                maintains, and makes available at no cost, the largest
serves. The Certified Information Security Manager® (CISM®)              collection of research documents about various aspects
certification program launched in 2002 and developed                     of information security. Its programs now reach more than
specifically for experienced information security managers,              165,000 security professionals. A wide range of individuals
and those who have information security management                      are sharing the lessons they learn and are jointly finding
responsibilities has added impetus to the growth in ISACA               solutions to the challenges they face. At the heart of
membership worldwide to more than 75,000 since its                      SANS are the many security practitioners in varied global
inception in 1967. ISACA’s strong chapter network provides              organizations from corporations to universities working
local support and networking opportunities via more than                together to help the entire information security community.
175 chapters located in over 70 countries.

The International Information Systems Security Certification             The Institute of Information Security Professionals (IISP)
Consortium, Inc. — (ISC)2® — is the globally recognized Gold            is setting the standard for professionalism in information
Standard for certifying information security professionals.             security. Full Membership of the Institute is becoming
Founded in 1989, (ISC)2 has certified over 60,000 information            the recognized competence-based qualification in
security professionals in 135 countries. (ISC)2 issues the              this field. The addition of the UK Government Infosec
Certified Information Systems Security Professional (CISSP)              Training Paths & Competences (ITPC) scheme to the
and related concentrations, Certification and Accreditation              Institute’s programme is a great step in providing a single
Professional (CAP), and Systems Security Certified                       harmonized skills framework for the accreditation of
Practitioner (SSCP) credentials to those meeting necessary              Information Security and Assurance professionals working
competency requirements. The CISSP, CISSP-ISSEP,                        in both public and private sectors.
CISSP-ISSAP and SSCP are among the first information
technology credentials to meet the stringent requirements
of ANSI/ISO/IEC Standard 17024, a global benchmark for
assessing and certifying personnel. (ISC)2 members can earn
up to 16 CPEs.

Media Partners
12   Register today at

     Gartner Research

     Worldwide Expertise at Your Fingertips — Your Questions
     on Information Security Answered
     Gartner analysts draw constantly from the real-life challenges and solutions experienced
     by more than 45,000 clients worldwide. The value of this resource, combined with our
     deep analysis of technology vendors, is unrivalled.

       Gartner for                                    Meet the Analysts
                                                                                Focus Areas: User authentication, password management,
       IT Leaders                                          Ant Allan            user provisioning, role life cycle management
                                                           Research VP
       Every day you’re faced with decisions
       that will determine success or failure                                   Focus Areas: Risk program management
       that could influence your organization’s
                                                           Christian Byrnes
       financial results, customer retention
                                                           Managing VP
       rates or ability to compete.
       Getting information is easy, but is                                      Focus Areas: Governance, risk and compliance, knowledge
       it insightful and relevant? Your time               French Caldwell      management, regulatory developments
       is scarce. Spend less time searching                Research VP
       for information and more time applying
       relevant insight to your IT initiatives that                             Focus Areas: Privacy legislation, EU and cross-border
       need effective solutions-right now.                                      privacy, compliance
                                                           Carsten Casper
       Ensure your success as an IT leader.                Research Director
       Get the insight you need — when
       you need it. With instant Web access                                     Focus Areas: Anti-virus, anti-spyware, antispam, e-mail
       to exclusive Gartner research that’s                Peter Firstbrook     security
       relevant, insightful and tailored for IT            Research Director
       leaders in Applications.
                                                           John Girard          Focus Areas: Wireless security, mobile device management,
                                                           VP Distinguished     mobile data encryption, mobile user authentication
       Your Role. Your Event.
       Insightful and relevant events aligned
       to your role, your priorities and your                                   Focus Areas: Trust communities, risk management,
       challenges.                                         Jay Heiser           compliance, forensics and investigation
                                                           Research VP
                                                           Debra Logan          Focus Areas: Information governance, e-discovery,
             Business Intelligence &                       VP Distinguished     enterprise information management
             Information Management                        Analyst

             Business Process Improvement                  Mark Nicolett        Focus Areas: Security information and event management,
                                                           VP Distinguished     vulnerability management, IT GRC management
             CIO                                           Analyst

                                                                                Focus Areas: Resource and access audits, PKI/PKO
             Enterprise Architecture                                            integration, IAM
                                                           Eric Ouellet
                                                           Research VP
             Infrastructure & Operations
                                                           Paul Proctor         Focus Areas: Security program management, audit and
                                                           VP Distinguished     compliance, network security, content monitoring and
             Program & Portfolio Management                                     filtering
             Security & Risk Management                                         Focus Areas: Security strategy, security architecture,
                                                           Tom Scholtz          organization, outsourcing, BCP/DRP
             Sourcing & Vendor Relationships               Research VP

                                                           Juergen Weiss        Focus Areas: Risk management and compliance, future
       Interested in our role-based events?                                     technology trends in the insurance industry
       Visit for further                Principal Research
       information.                                        Analyst

Maximize Your
Summit Experience

Depth, Discipline, Decisiveness
Gartner Summits are unique in the experience that they bring
to attendees. A mixture of session formats brings extended
opportunities to interact with Gartner analysts, with fellow attendees
and focused solution providers.

Gartner Analyst One-on-One Meetings
Don’t you think you deserve a little private and focused
time? Meeting face-to-face with a Gartner Analyst is one of
                                                                                    Gartner for IT Leaders:
the key benefits for attending this Summit. [Number tbc] Gartner analysts
specializing in various aspects of Information Security will be at the
                                                                                    Security & Risk Management
Summit. Bring your issue, select the relevant Analyst, set the agenda and
walk away with invaluable, tailor-made advice.                                      Gartner clients have instant access to exclusive
                                                                                    research tailored to their specific role via the
                                                                                    Gartner for IT Leaders resource. The Gartner
Gartner Analyst/User Roundtables
                                                                                    Information Security Summit is your chance to
Learn from your peers. Moderated by a Gartner analyst, these
roundtables are a great forum for hearing what your industry                        access Gartner research and Gartner analysts
peers are experiencing on issues similar to those you face. Be                      presenting their latest insights whilst giving you
prepared to join the discussion and share best practices and practical
advice. All end-user attendees at the event are invited to register for             direct access to the individual experts.
Gartner Analyst/User Roundtables by reserving at the at the One-on-One
booking desk.                                                                       In 2009 we have worked to weave the key
                                                                                    GITL initiatives directly to the Gartner content
Solution Provider Sessions                                                          with insights on all areas including:
Selected technology providers will give their advice on the latest technologies
and best practices. The providers, and in many cases their clients, will
explore best practices, key learning’s and future trends and technologies.          Identity and Access Management
These sessions give you a unique opportunity to learn from the organizations        Information Security Program Management
that will shape the future of technology and to benefit from the real-life           Infrastructure Protection
experiences of their clients.
                                                                                    IT Compliance Management
                                                                                    IT Risk Management
Personalize Your Experience
Your Summit — your agenda. With a wealth of sessions, it is helpful
to have a tool to build your own agenda focusing on your own
                                                                                    Reinforce your Gartner for IT Leaders’ research
needs. The online Agenda Builder helps you select the relevant                      by attending and hearing it live and direct.
sessions and schedule them in your calendar to build in networking.

  Vendor Ratings — Track and Monitor Vendor                                       Magic Quadrants — Speed up your knowledge of
  Performance                                                                     competing technology providers
  Manage the risk of your provider portfolio while you keep an eye                Who are the competing players in the major technology
  on up-and-coming players and potential alternate providers.                     markets? How are they positioned to help you over the
                                                                                  long haul? Gartner can help.

  Market Share — Validate Leading Providers                                       Assessing a market and its participants is a daunting task.
  Understand where and how you can take advantage of shifts                       Vendor differentiation caused by differing sizes, levels
  in market share, both now and in the future.
                                                                                  of complexity and strategies can inhibit comparisons of
                                                                                  vendor offerings, and the market’s overall direction is often
                                                                                  murky. The Magic Quadrant Power Session will solve these
  Hype Cycles — Interpret Technology Hype
                                                                                  challenges by offering snapshots of markets and their
  When new technologies make bold promises, how do you
  discern the hype from what’s commercially viable?                               participants, enabling you to map vendor strengths against
  Gartner can help!                                                               your current and future needs.

         Register Now and builder your agenda at
14                                            Register today at

                                              Solution Showcase
                                              Meet the technology and service providers at the forefront of Information Security
                                              The Summit helps you develop a “short list” of technology providers who can meet your particular needs. We offer you exclusive
                                              access to some of the world’s leading technology and service solution providers in a variety of settings. Visit the Solution
                                              Showcase, attend the Solution Provider Sessions and join in the Networking Reception for informal relationship building.

                                               Premier Sponsor

                                               CA (NASDAQ: CA) is the world’s leading independent IT management                    Symantec is a global leader in providing security, storage and systems management
                                               software company. We help organizations govern, manage and secure IT                solutions to help consumers and organizations secure and manage their information-
                                               to better perform, innovate and grow their businesses. With our Enterprise          driven world. Symantec software and services protect against more risks at more
                                               IT Management (EITM) solution, organizations can unify IT and simplify the          points, more completely and efficiently, enabling confidence wherever information is
                                               management of complex computing environments. Learn how CA, a Security              used or stored. Headquartered in Cupertino, Calif., Symantec has operations in more
                                               Management leader for over 25 years, can help you grow your business —              than 40 countries. More information is available at
                                               with less risk: visit the CA stand and listen to CA presentation.         

                                               Platinum Sponsors

                                               Fortify® Software is the leader in the emerging category of Software Security       PGP is a global leader in e-mail and data encryption software for enterprise data
                                               Assurance providing unique security solutions that protect companies and            protection. Based on a unified key management and policy infrastructure, the
                                               government agencies from today’s greatest security risk: the software that          PGP® Encryption Platform offers the broadest set of integrated applications for
                                               runs their businesses. With backing from top-tier investors, Fortify has rapidly    enterprise data security.
                                               established itself as the vanguard in the application security arena.     

                                               Verizon Business is one of few security providers that can help customers secure
                                               data and identities at the device, along their network and around the world.
                                               Our professional services, managed services and technologies are delivered
                                               as our customers need them, through full outsourcing, managed and hosted
                                               services and self-service models.

                                               Silver Sponsors

                                               ActivIdentity Corporation (NASDAQ: ACTI) is a            ArcSight (NASDAQ:ARST) is global leader in              NetIQ is a leading provider of security and
                                               global leader in strong authentication and credential    compliance and security management, enabling            compliance management solutions, reducing
                                               management, providing solutions to confidently            enterprises and government agencies to comply           enterprise risk, decreasing compliance costs and
                                               establish a person’s identity when interacting           with policy, safeguard assets and control business      increasing the security of critical information assets.
                                               digitally.                                               risks. Visit                

                                               Qualys. is the leading provider of on demand IT          Sourcefire®, a world leader in intrusion prevention      TippingPoint provides comprehensive network
                                               security risk and compliance management solutions        and the creator of Snort®, is transforming the way      security solutions that address the security and
                                               — delivered as a service.                                global organizations manage and minimize network        regulatory compliance needs of complex network
                                               More information at                      security risks in real time.                            environments for enterprises, government agencies,
                                                                                                             service providers and academic institutions.
     Sponsor listing correct at 20 May 2009


                                                                                                                   Sponsorship Opportunities
                                                                                                                   If your organization is interested in sponsoring this event,
                                               Tripwire solutions help over 6,500 customers
                                               worldwide reduce security risk and gain control                     please contact Darren McCormack for further details:
                                               over IT configurations. Headquartered in Portland,                   Tel: +44 1784 26 8624
                                               Oregon, Tripwire has offices worldwide.


How to Register
Telephone: +44 20 8879 2430

Pricing                                                  Team Discount
Early Bird Price                                         Bring the Team: Divide and Conquer!
Ð1,695 + 15% VAT                                         Teams that attend a Gartner Summit together gain
(offer ends 24 July 2009)                                a much richer experience of the event. Not only can
                                                         they divide and conquer, attending all the sessions
Standard Conference Price                                to maximize their learning, but they also have the
Ð2,195 + 15% VAT                                         added benefit of inviting a Gartner analyst to a team
Why Register Early?                                      meeting — to facilitate a discussion or advise them
• Save Ð500 on the standard conference price             on strategic initiatives and key projects. For this
• Priority Gartner Analyst One-on-One booking            reason, companies often take the opportunity to hold
                                                         offsite team meetings and incorporate Gartner Events
                                                         as part of their training programs.
Gartner Clients                                          Gartner Events has designed an experience that will
                                                         help teams of 4 to 25 maximize their Summit experience
A Gartner ticket covers both days of the Summit.         while on-site and long after the event concludes.
If you are a client with queries about tickets, please   Team Benefits:
contact your Account Manager or e-mail emea.
                                                         1) Team meeting with a Gartner analyst (end users only)
                                                         2) Optional team meeting(s) with select executives
                                                            from vendor organizations
Refer a Colleague                                        3) Advice and support on building personalized
                                                            agendas for your team
If you know of a colleague who would benefit from
                                                         4) 10+ Free audio sessions from the Gartner
the Summit experience and direct access please              Multimedia Events On Demand product
forward this brochure to them.
                                                         5) Complimentary team lounge and meeting space
                                                            (based on team size)
                                                         6) Concierge service pre-event and on-site
                                                         7) Discounts on registration rates

                                                          Summit Team Discount Offers:
                                                               4 for the price of 3
                                                               6 for the price of 4
                                                              10 for the price of 7

                                                         To register a team please e-mail:
                                                or contact your
                                                         Gartner Account Manager. Please note that teams
                                                         must be registered at the same time and we can only
                                                         guarantee availability of team benefits if the team is
                                                         registered at least 3 weeks in advance of the Event.

      Register Now and builder your agenda at
                                         Return address: Gartner, PO Box 754, North Shields, NE29 1EJ, United Kingdom


Your Event Reminders
Register before 24 July for Early Bird discount!

Build your own agenda online now

Book a 30-minute Gartner Analyst One-on-One
Meeting with your preferred analyst

Access the documentation and presentations
after the event                                                                                                                                                  Product group from well-managed
                                                                                                                                                                 forests and other controlled sources

Gartner UK Ltd. is a company registered in England & Wales with the registration number 2266016.   The registered office is Tamesis, The Glanty, Egham, Surrey, TW20 9AW, United Kingdom.

To top