gartner management summit 2015 · ... email infogartner.com or visit gartner.com.© 2015 gartner,...
TRANSCRIPT
© 2015 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner and ITxpo are registered trademarks of Gartner, Inc. or its affiliates. For more information, email [email protected] or visit gartner.com. 1© 2015 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner and ITxpo are registered trademarks of Gartner, Inc. or its affiliates. For more information, email [email protected] or visit gartner.com.
Gartner Security & Risk Management Summit 2015June 8 – 11 | National Harbor, MD | gartner.com/us/securityrisk
Gartner Security & Risk Management Summit 2015 was held on June 8 – 11 at the Gaylord National Resort & Convention Center in National Harbor, MD. This report summarizes and provides highlights from the event.
Gaylord National Resort & Convention Center Andrew Walls speaking at Gartner Security & Risk Management Summit 2015
Trip Report
Overview
At the 21st annual Gartner Security & Risk Management Summit, attendees participated in on-site benefits, heard the latest IT security and risk management presentations from the Gartner research community on today’s most pressing topics, attended workshops run by expert analysts and industry leaders, heard real-life experiences during peer case studies, engaged in analyst-user roundtables and one-on-one meetings with Gartner analysts, and checked out the latest solutions at the Solution Showcase.
Attendees walked away with actionable solutions to key topics, including how to:• Gain role-specific tools and strategies to stay
ahead of expanding scopes of responsibility and increasing threats
• Align security and risk management strategies with enterprise objectives
• Assure compliance by learning the new privacy and e-discovery regulations and requirements
• Apply the latest techniques to tackle risks in cloud, operational technology (OT), the Internet of Things (IoT) and IT
• Maximize enterprise ROI by using the latest business continuity management (BCM) and enterprise resilience practices
2 Findings from Gartner Security & Risk Management Summit 2015
5 Gartner keynotes
6 Guest keynotes
7 Conference highlights
8 Top 5 most-attended sessions
9 Snapshot of attendees
10 Sponsors
13 Post-event resources
14 Renewal
Table of contents
Gartner Security & Risk Management Summit 2016 will take place June 13 – 16, in National Harbor, MD, at the Gaylord National Resort & Convention Center. Be sure to bookmark the website, gartner.com/us/securityrisk, and check back for 2016 conference updates.
Save the date
Manage Risk and Deliver Security in a Digital World
2 © 2015 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner and ITxpo are registered trademarks of Gartner, Inc. or its affiliates. For more information, email [email protected] or visit gartner.com.
Findings from Gartner Security & Risk Management Summit 2015Here are key recommendations from this year’s most popular Gartner analyst sessions — especially useful for your 2015 planning and strategy considerations.
A11. Why Your Policy is Broken and How You Can Fix It Rob McMillan, Director• Review your policy for common policy problems.
• Verify that you have an effective process in place for ensuring that your people are aware of the policy and its requirements.
• Stress-test your policy to look for potential failures.
• Assess the extent to which you can prove that your external providers are managing to your policy and adjust as required.
• Adjust your policy to address the policy problems that you identify.
• Implement a program to assess compliance and detect anomalies.
B9. Mobile Security Threats and Trends 2015 John Girard, Vice President and Distinguished Analyst; Dionisio Zumerle, Director• Review your mobile policy and identify the key participants in the enterprise mobility program.
• Translate your technical risk into enterprise risk, define a direction and ask for top management validation.
• Abandon device-centric lockdown security for app-centric models.
• Experiment with data-centric solutions, but be aware of immaturity.
• Focus your efforts on providing solutions that are tailored for mobile use and therefore obviate shadow IT practices.
• Act tactically: Assess your post-deployment posture, close gaps and refresh again in six to 12 months.
C1. The Cloud Security Scenario Jay Heiser, Vice President• Build cloud security and control competencies.
• Develop and enforce cloud governance policies: Data classification and risk acceptance and “ownership” of data and departmental applications.
• Manage your accounts (especially privileged ones).
• Ensure that you have contingency plans.
• Demand CSPs follow standards and provide third-party security assessments.
Gartner Security & Risk Management Summit 2015June 8 – 11 | National Harbor, MD | gartner.com/us/securityrisk
Rob McMillan
Dionisio Zumerle
John Girard
Jay Heiser
3© 2015 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner and ITxpo are registered trademarks of Gartner, Inc. or its affiliates. For more information, email [email protected] or visit gartner.com.
Findings from Gartner Security & Risk Management Summit 2015D8. Future-Proofing IAM Ant Allan, Vice President• Identify your organization’s strategies for and stakeholders in digital business, IoT and
the digital workplace.
• Determine where IAM creates unnecessary friction in the digital workplace.
• Get to know your IAM vendors’ plans to support external identity providers, ABAC and so on.
• Identify alternatives.
• Update your IAM strategic plan to reflect digital business, IoT and digital workplace goals.
• Develop a strategy for bimodal IAM.
• Plan for fundamental changes in IAM teams’ skills, staffing and structure.
• Simplify your IAM architecture and operations by embracing people-centric security principles.
E9. Mobile Device Security: A Comparison of Platforms Patrick Hevesi, Director• Understand the mobile threat landscape.
• Be cautious when investing in mobile device security apps.
• Set mobile OS version standards and deny older versions (iOS 8, Samsung Knox, Windows 8.1).
• In a bring-your-own-device (BYOD) program: – Choose devices with strong native controls over devices lacking adequate controls or with
security settings that can be disabled by users. – Alternatively, complement device controls with additional software such as managed
information containers.
• In fully managed high-security organizations, choose hardened devices with highly granular policy management capabilities.
F5. Building Advanced KRIs: Risk Metrics That Influence Business Decisions Paul E. Proctor, Vice President and Distinguished Analyst• Review all of your dashboards and metrics.
• Define the audience they address.
• Determine the decisions for the audience who is influenced by the metrics.
• Determine the causal relationships each metric has to a business dependency.
• Revise your metrics to be leading indicators.
• Reposition.
• Move IT operational metrics away from business decision makers.
Ant Allan
Patrick Hevesi
Paul E. Proctor
4 © 2015 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner and ITxpo are registered trademarks of Gartner, Inc. or its affiliates. For more information, email [email protected] or visit gartner.com.
Findings from Gartner Security & Risk Management Summit 2015 (continued)G8. Software Licensing Is a Risk. Is Your Organization Managing It? Victoria Barber, Director• Find out who your asset manager is.
• Understand the current state of software asset management in your organization.
• Insist that investment is made to reduce current licensing risk.
• Support the asset manager to develop and mature software asset management.
• Leverage software asset management data to identify and quantify business risk.
• Enforce license compliance through process and controls.
H13. The Current State of Cloud-Based Recovery and Continuity John P. Morency, Vice President• Decide which recovery requirements must be supported now and later.
• Define your priorities for platform support and data replication support requirements.
• Evaluate vendors from a recovery assurance perspective: Define the availability, recovery and performance requirements and document them in SLA terms.
• Assess carefully the extent to which a service provider can reduce the time, cost and logistics of recovery exercising.
• Quantify the required implementation time, license costs and monthly services cost differences between the alternatives.
• Perform pricing due diligence with the finalists.
• Decide which provider type (if any) is most appropriate.
J3. User Authentication Vendors Are Not the Only User Authentication Vendors Ant Allan, Vice President • Inventory your user authentication use cases.
• Review how incumbent solutions meet trust, TCO and UX needs.
• Identify use cases in need of new methods or wholly new solutions.
• Identity use cases where adaptive access control can add value.
• Select vendors to meet the needs identified above.
• Plan for longer-term changes as new technologies become available.
Gartner Security & Risk Management Summit 2015June 8 – 11 | National Harbor, MD | gartner.com/us/securityrisk
Victoria Barber
John P. Morency
“ This conference is the premier conference for security and risk management professionals. The content and networking are highlights of an amazing team of analysts.”Stephen Zalewski, Security Architect, Pacific Gas and Electric Company
5© 2015 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner and ITxpo are registered trademarks of Gartner, Inc. or its affiliates. For more information, email [email protected] or visit gartner.com.
Gartner keynotesManage Risk and Deliver Security in a Digital World Ant Allan, Vice President; Peter Firstbrook, Vice President; Avivah Litan, Vice President and Distinguished Analyst
In the opening keynote, Gartner analysts discussed how effective cybersecurity is the foundation of successful digital business. As organizations leverage new technology and business processes t o deliver services and products to global markets, security and risk managers must support achievement of enterprise objectives while mitigating security risks to an acceptable level. The analysts stressed that in order to achieve success, security and risk leaders must embrace new approaches to digital business while maintaining proven control architecture that mitigates enterprise risk.
Cybersecurity Scenario 2020: The Impact of Digital Business on Security F. Christian Byrnes, Managing Vice President
Two years ago, Gartner had provided a scenario covering the evolution of the threat environment through 2020. Today, our senior analysts have assembled a picture of how digital business will impact the security practice in that same time frame. F. Christian Byrnes explained how this is yet another key input to long-term strategic planning and showed how it will also impact business life.
The Great Race to Digital Moments Chris Howard, Vice President and Distinguished Analyst
In the closing keynote, Chris Howard delved into how digital moments come in all forms: moments for customers or employees, moments of commerce and engagement, and moments where an organization needs to capitalize on something unexpected by integrating data and function on the spot. He explained how digital moments are opportunities to achieve enterprise objectives, but they also involve new risks. Our growing experience with mobility, analytics, cloud and social connectivity creates the platform to support these moments, increasingly amplified by the IoT. Howard then explored several of these digital moments and their implications for security and risk professionals.
Ant Allan
Peter Firstbrook
F. Christian Byrnes
Avivah Litan
Chris Howard
6 © 2015 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner and ITxpo are registered trademarks of Gartner, Inc. or its affiliates. For more information, email [email protected] or visit gartner.com.
Gartner Security & Risk Management Summit 2015June 8 – 11 | National Harbor, MD | gartner.com/us/securityrisk
Guest keynotesU.S. Intelligence, Defense and Cybersecurity Strategies Leon Panetta, U.S. Secretary of Defense (2011-2013), and Director, Central Intelligence Agency (2009-2011)
Leon Panetta discussed U.S. intelligence and cybersecurity strategies from his experience as the 23rd Secretary of Defense from 2011 through 2013. Panetta shared how he oversaw the final removal of American troops from Iraq as well as the beginning of troop withdrawals from Afghanistan. He then touched on defense strategies from when he led the effort to develop a new defense strategy to advance greater agility, protect national security and meet fiscal discipline, which in turn opened up new opportunities for everyone to serve in the military and protected benefits for wounded warriors and their families.
Inkjet Business Model Considered Harmful Cory Doctorow, Journalist, Science Fiction Author, Activist and Blogger
Cory Doctorow discussed how the IoT is being born with the inkjet printer business model: “ecosystems” of devices that can only be connected with the manufacturer’s approval. This allows manufacturers to command high margins for the consumables, chargers and add-ons you have to buy to keep using the stuff you already own. He then explained that the real danger comes as soon as you design a computer to thwart its owner’s desires. This then sets in motion a set of security, policy and technology decisions that ends with spyware shipping out of the box on every device.
Leon Panetta
Corey Doctorow
7© 2015 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner and ITxpo are registered trademarks of Gartner, Inc. or its affiliates. For more information, email [email protected] or visit gartner.com.
Conference highlights6 keynotes featuring Gartner analysts and industry expertsManage Risk and Deliver Security in a Digital World
Welcome Remarks and Program Roadmap
Cybersecurity Scenario 2020: The Impact of Digital Business on Security
Guest Keynote: U.S. Intelligence, Defense and Cybersecurity Strategies
Guest Keynote: Inkjet Business Model Considered Harmful
The Great Race to Digital Moments
107 Gartner track sessions — Some selected topicsThe New CISO’s Crucial First 100 Days
How the Internet of Things Will Change Cybersecurity Forever
Magic Quadrant for Operational Risk Management
The Availability Implications for Digital Business
Network Security Guide to BYOD — 2015 Update
Top Trends and Take-Aways for Cybersecurity
11 end-user case studies — Some selected topicsInformation Security Is a Business Continuity Issue: Are You Ready?
Top Threats, Vulnerabilities and Hiring Challenges — What Is a CISO to Do?
Developing a Medical Device Security Program
What Makes Organizations Resilient and Why You Should Care
How to Present Risk to Board-Level Management: Key Take-Aways From Visa
Future of Sales in Information Security
27 roundtable discussions (Gartner-analyst-moderated) — Some selected topicsUsing a Virtual Team to Manage IT Asset Risks
What Can We Expect From the Upcoming EU Data Protection Regulation?
Presenting to the Board and Executive Committees
Comparing Best Practices for Cloud Risk Management
Information Security Metrics
What Is Information Governance Technology and How Is It Being Used?
8 © 2015 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner and ITxpo are registered trademarks of Gartner, Inc. or its affiliates. For more information, email [email protected] or visit gartner.com.
“ Fantastic event for any and all security professionals!” Matthew Mudry, Director,
IT Architecture and Security,
Castleton Commodi
6 workshops Essential Communication and Conflict Resolution Skills for Security Leaders
The Gartner ITScore Maturity Model for IAM
Make the Business Case and Obtain BCM Program Executive Sponsorship
IT Security: Planning a Self-Audit
Start Your DLP Project By Making It Relevant
The Language of Change: Overcoming Change Resistance and Transforming Culture
3 debate sessionsQuantitative vs. Qualitative Risk Assessment
We Will Fail If We Try to Protect All Data and Processes That We Own
Debating Pervasive Data-at-Rest Encryption: Great Security or Grand Illusion?
Connect with Gartner Security & Risk Management Summit on Twitter and LinkedIn.
#GartnerSEC
Gartner Security and Risk Management Summit
Join the conversation
G16. Using Storytelling to Get Your Risk Management Message Heard Jeffrey Wheatman, Director
F16. GRC: What Works, What Doesn’t Paul E. Proctor, Vice President and Distinguished Analyst
E7. Securing Sensitive SaaS Using Cloud Access Security Brokers Ramon Krikken, Vice President
D15. How to Build a Globally Legal and Successful BYOD Program John Girard, Vice President and Distinguished Analyst
E9. Mobile Device Security: A Comparison of Platforms Patrick Hevesi, Director
Top 5 most-attended sessions
Gartner Security & Risk Management Summit 2015June 8 – 11 | National Harbor, MD | gartner.com/us/securityrisk
Conference highlights (continued)
Missed a session? Have no fear. Your ticket includes keynotes and track sessions — not just those you saw live! Gartner Events On Demand provides streaming access of recorded presentations to all paid attendees for one year. Watch your favorites again and see those you missed from any Web-connected device. Visit gartnereventsondemand.com.
Online access for one year
9© 2015 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner and ITxpo are registered trademarks of Gartner, Inc. or its affiliates. For more information, email [email protected] or visit gartner.com.
Snapshot of attendees
Who participated in the 2015 conference?
Top industry sectors
Top job titles
Top job roles1. Security and risk management 2. Infrastructure and operations3. CxO4. Enterprise architecture5. Product management/marketing
C-level
Management
Director
Vice President
Analyst4%
20%
22% 22%
10%
18% Banking, finance and insurance
17% Government
11% Manufacturing
7% Healthcare
3% Education
10 © 2015 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner and ITxpo are registered trademarks of Gartner, Inc. or its affiliates. For more information, email [email protected] or visit gartner.com.
Thank you to our sponsors
Premier
Platinum
Gartner Security & Risk Management Summit 2015June 8 – 11 | National Harbor, MD | gartner.com/us/securityrisk
11© 2015 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner and ITxpo are registered trademarks of Gartner, Inc. or its affiliates. For more information, email [email protected] or visit gartner.com.
Thank you to our sponsorsPlatinum
Absolute Software Corporation
Accellion
Accelops
Agari
Agiliance
AhnLab
Alert Enterprise
Algosec
Alott Communications
Arbor Networks, INC.
Arxan Technologies
Aujas Information Risk Services
Avatier
Avecto
BAE Systems
Barracuda Networks
Bay Dynamics, Inc
Beyond Trust Software, INC
Bit9 + Carbon Black
Bitglass
Bloomberg Vault
Blue Coat Systems
Boldon James
Box
BrandProtect Inc.
BrightPoint Security
Brinqa
Camber Corporation
Caspida
Centripetal Networks
CenturyLink
Certes Networks
Cigital
Click Security
CloudLock
CloudPassage
Cognizant Technology Solutions
Continuity Logic
Contrast Security
Courion Corporation
Cyber adAPT, Inc.
Cybereason
Cylance
Cymmetria
Cyphort
Darktrace
Digital Defense, Inc.
Digital Guardian
Domain Tools
EdgeWave
Elastica, INC.
Endgame
ESET North America
Exabeam
FireLayers
Firemon
Fortscale
General Dynamics Fidelis Cybersecurity Solutions
Global Learning Systems
Google Inc.
Gurucul
Hexis Cyber Solutions, Inc.
Hitachi ID Systems, Inc.
ICF International
Identity Finder
Inspired eLearning
Interset Software, Inc.
Invincea, Inc.
ISACA
Kaspersky Lab
Lancope
LastPass
Learning Tree International
LockPath
LogRhythm
Lookout
Lunarline
ManTech
Menlo Security
Modulo
NetIQ
Netskope
Neustar
Niara
NSFOCUS Information Technology Co., Ltd.
ObserveIT
Silver
12 © 2015 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner and ITxpo are registered trademarks of Gartner, Inc. or its affiliates. For more information, email [email protected] or visit gartner.com.
Gartner Security & Risk Management Summit 2015June 8 – 11 | National Harbor, MD | gartner.com/us/securityrisk
Association Partners
Media Partners
EXECUTIVENETWORK
WITI PRIMARY LOGO-CMYK
Okta
Onapsis
OpenDNS
Palerra
Panda Security
PhishLine.com
PhishLabs
Phishme
Platfora
Portnox
PREVALENT, INC.
Prevoty
ProtectWise
Protegrity
Quotium
Rapid7
Recorded Future
RedSeal
Resilient Systems
Return Path
RSAM
Safenet
Secunia
Security Compass
Security First Corp
Security Mentor
Security Innovation
Securonix
SentinelOne
Simieo Solutions
Spikes Security
SSH Communications Security
Stroz Friedberg
Synopsys, Inc.
Tanium
Tenable Network Security, Inc.
The Media Trust
ThreatSim
ThreatStream
ThreatTrack
Thycotic
Triumfant
TRUSTe
Tufin
Varonis Systems, Inc.
Verisign
Vidder
Virtustream
Vormetric
Waratek
whiteCryption Corp.
Wombat Security Technologies
Silver
Thank you to our sponsors
13© 2015 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner and ITxpo are registered trademarks of Gartner, Inc. or its affiliates. For more information, email [email protected] or visit gartner.com.
Post-event resources
Customizable post-event worksheetTake a moment to complete your own post-event trip report, a valuable resource for future reference and a great way to share with colleagues what you learned. Click here to access the trip report worksheet.
Learn more with relevant researchWant to learn more about the topics that interest you most? Turn to the end of each session presentation for a list of related Gartner research notes. Select Gartner research is available on demand at gartner.com.
“ This conference is a great venue for meeting cyberpractitioners from various sectors and comparing experiences.”Sherrill Nicely, CISO, CIA
Gartner Security & Risk Management Summit 2015 July 13 – 15 | Tokyo, Japan
Gartner Security & Risk Management Summit 2015 August 24 – 25 | Sydney, Australia
Gartner Security & Risk Management Summit Summit 2015 September 14 – 15 | London, U.K.
Gartner Security & Risk Management Summit 2015 November 2 – 3 | Dubai, UAE
Gartner Identity & Access Management Summit 2015 December 7 – 9 | Las Vegas, NV
Upcoming events
The World’s Most Important Gathering of CIOs and Senior IT Executives
Learn more }
Gartner Security & Risk Management Summit 2016June 13 – 16 | National Harbor, MD | gartner.com/us/securityrisk
Hot topics
• Application, network and infrastructure security
• Planning for IoT security
• Digital business security and risk management
• Organizational resilience through BCM
• Risk management and compliance
Register for this must-attend security and risk management event at gartner.com/us/securityrisk or call 1 866 405 2511
Join us again in 2016!
© 2015 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner and ITxpo are registered trademarks of Gartner, Inc. or its affiliates. For more information, email [email protected] or visit gartner.com.
EARN CPE CREDITS Earn CPE credits toward (ISC)2, ISACA and DRII certification