Gartner Security & Risk Management Summit 2015 was held on June 8 – 11 at the Gaylord National Resort & Convention Center in National Harbor, MD. This report summarizes and provides highlights from the event.
Gaylord National Resort & Convention Center Andrew Walls speaking at Gartner Security & Risk Management Summit 2015
Trip Report
Overview
At the 21st annual Gartner Security & Risk Management Summit, attendees participated in on-site benefits, heard the latest IT security and risk management presentations from the Gartner research community on today’s most pressing topics, attended workshops run by expert analysts and industry leaders, heard real-life experiences during peer case studies, engaged in analyst-user roundtables and one-on-one meetings with Gartner analysts, and checked out the latest solutions at the Solution Showcase.
Attendees walked away with actionable solutions to key topics, including how to:• Gain role-specific tools and strategies to stay
ahead of expanding scopes of responsibility and increasing threats
• Align security and risk management strategies with enterprise objectives
• Assure compliance by learning the new privacy and e-discovery regulations and requirements
• Apply the latest techniques to tackle risks in cloud, operational technology (OT), the Internet of Things (IoT) and IT
• Maximize enterprise ROI by using the latest business continuity management (BCM) and enterprise resilience practices
2 Findings from Gartner Security & Risk Management Summit 2015
5 Gartner keynotes
6 Guest keynotes
7 Conference highlights
8 Top 5 most-attended sessions
9 Snapshot of attendees
10 Sponsors
13 Post-event resources
14 Renewal
Table of contents
Gartner Security & Risk Management Summit 2016 will take place June 13 – 16, in National Harbor, MD, at the Gaylord National Resort & Convention Center. Be sure to bookmark the website, gartner.com/us/securityrisk, and check back for 2016 conference updates.
Save the date
Manage Risk and Deliver Security in a Digital World
Findings from Gartner Security & Risk Management Summit 2015Here are key recommendations from this year’s most popular Gartner analyst sessions — especially useful for your 2015 planning and strategy considerations.
A11. Why Your Policy is Broken and How You Can Fix It Rob McMillan, Director• Review your policy for common policy problems.
• Verify that you have an effective process in place for ensuring that your people are aware of the policy and its requirements.
• Stress-test your policy to look for potential failures.
• Assess the extent to which you can prove that your external providers are managing to your policy and adjust as required.
• Adjust your policy to address the policy problems that you identify.
• Implement a program to assess compliance and detect anomalies.
B9. Mobile Security Threats and Trends 2015 John Girard, Vice President and Distinguished Analyst; Dionisio Zumerle, Director• Review your mobile policy and identify the key participants in the enterprise mobility program.
• Translate your technical risk into enterprise risk, define a direction and ask for top management validation.
• Abandon device-centric lockdown security for app-centric models.
• Experiment with data-centric solutions, but be aware of immaturity.
• Focus your efforts on providing solutions that are tailored for mobile use and therefore obviate shadow IT practices.
• Act tactically: Assess your post-deployment posture, close gaps and refresh again in six to 12 months.
C1. The Cloud Security Scenario Jay Heiser, Vice President• Build cloud security and control competencies.
• Develop and enforce cloud governance policies: Data classification and risk acceptance and “ownership” of data and departmental applications.
• Manage your accounts (especially privileged ones).
• Ensure that you have contingency plans.
• Demand CSPs follow standards and provide third-party security assessments.
Findings from Gartner Security & Risk Management Summit 2015D8. Future-Proofing IAM Ant Allan, Vice President• Identify your organization’s strategies for and stakeholders in digital business, IoT and
the digital workplace.
• Determine where IAM creates unnecessary friction in the digital workplace.
• Get to know your IAM vendors’ plans to support external identity providers, ABAC and so on.
• Identify alternatives.
• Update your IAM strategic plan to reflect digital business, IoT and digital workplace goals.
• Develop a strategy for bimodal IAM.
• Plan for fundamental changes in IAM teams’ skills, staffing and structure.
• Simplify your IAM architecture and operations by embracing people-centric security principles.
E9. Mobile Device Security: A Comparison of Platforms Patrick Hevesi, Director• Understand the mobile threat landscape.
• Be cautious when investing in mobile device security apps.
• Set mobile OS version standards and deny older versions (iOS 8, Samsung Knox, Windows 8.1).
• In a bring-your-own-device (BYOD) program: – Choose devices with strong native controls over devices lacking adequate controls or with
security settings that can be disabled by users. – Alternatively, complement device controls with additional software such as managed
information containers.
• In fully managed high-security organizations, choose hardened devices with highly granular policy management capabilities.
F5. Building Advanced KRIs: Risk Metrics That Influence Business Decisions Paul E. Proctor, Vice President and Distinguished Analyst• Review all of your dashboards and metrics.
• Define the audience they address.
• Determine the decisions for the audience who is influenced by the metrics.
• Determine the causal relationships each metric has to a business dependency.
• Revise your metrics to be leading indicators.
• Reposition.
• Move IT operational metrics away from business decision makers.
Findings from Gartner Security & Risk Management Summit 2015 (continued)G8. Software Licensing Is a Risk. Is Your Organization Managing It? Victoria Barber, Director• Find out who your asset manager is.
• Understand the current state of software asset management in your organization.
• Insist that investment is made to reduce current licensing risk.
• Support the asset manager to develop and mature software asset management.
• Leverage software asset management data to identify and quantify business risk.
• Enforce license compliance through process and controls.
H13. The Current State of Cloud-Based Recovery and Continuity John P. Morency, Vice President• Decide which recovery requirements must be supported now and later.
• Define your priorities for platform support and data replication support requirements.
• Evaluate vendors from a recovery assurance perspective: Define the availability, recovery and performance requirements and document them in SLA terms.
• Assess carefully the extent to which a service provider can reduce the time, cost and logistics of recovery exercising.
• Quantify the required implementation time, license costs and monthly services cost differences between the alternatives.
• Perform pricing due diligence with the finalists.
• Decide which provider type (if any) is most appropriate.
J3. User Authentication Vendors Are Not the Only User Authentication Vendors Ant Allan, Vice President • Inventory your user authentication use cases.
• Review how incumbent solutions meet trust, TCO and UX needs.
• Identify use cases in need of new methods or wholly new solutions.
• Identity use cases where adaptive access control can add value.
• Select vendors to meet the needs identified above.
• Plan for longer-term changes as new technologies become available.
“ This conference is the premier conference for security and risk management professionals. The content and networking are highlights of an amazing team of analysts.”Stephen Zalewski, Security Architect, Pacific Gas and Electric Company
Gartner keynotesManage Risk and Deliver Security in a Digital World Ant Allan, Vice President; Peter Firstbrook, Vice President; Avivah Litan, Vice President and Distinguished Analyst
In the opening keynote, Gartner analysts discussed how effective cybersecurity is the foundation of successful digital business. As organizations leverage new technology and business processes t o deliver services and products to global markets, security and risk managers must support achievement of enterprise objectives while mitigating security risks to an acceptable level. The analysts stressed that in order to achieve success, security and risk leaders must embrace new approaches to digital business while maintaining proven control architecture that mitigates enterprise risk.
Cybersecurity Scenario 2020: The Impact of Digital Business on Security F. Christian Byrnes, Managing Vice President
Two years ago, Gartner had provided a scenario covering the evolution of the threat environment through 2020. Today, our senior analysts have assembled a picture of how digital business will impact the security practice in that same time frame. F. Christian Byrnes explained how this is yet another key input to long-term strategic planning and showed how it will also impact business life.
The Great Race to Digital Moments Chris Howard, Vice President and Distinguished Analyst
In the closing keynote, Chris Howard delved into how digital moments come in all forms: moments for customers or employees, moments of commerce and engagement, and moments where an organization needs to capitalize on something unexpected by integrating data and function on the spot. He explained how digital moments are opportunities to achieve enterprise objectives, but they also involve new risks. Our growing experience with mobility, analytics, cloud and social connectivity creates the platform to support these moments, increasingly amplified by the IoT. Howard then explored several of these digital moments and their implications for security and risk professionals.
Guest keynotesU.S. Intelligence, Defense and Cybersecurity Strategies Leon Panetta, U.S. Secretary of Defense (2011-2013), and Director, Central Intelligence Agency (2009-2011)
Leon Panetta discussed U.S. intelligence and cybersecurity strategies from his experience as the 23rd Secretary of Defense from 2011 through 2013. Panetta shared how he oversaw the final removal of American troops from Iraq as well as the beginning of troop withdrawals from Afghanistan. He then touched on defense strategies from when he led the effort to develop a new defense strategy to advance greater agility, protect national security and meet fiscal discipline, which in turn opened up new opportunities for everyone to serve in the military and protected benefits for wounded warriors and their families.
Inkjet Business Model Considered Harmful Cory Doctorow, Journalist, Science Fiction Author, Activist and Blogger
Cory Doctorow discussed how the IoT is being born with the inkjet printer business model: “ecosystems” of devices that can only be connected with the manufacturer’s approval. This allows manufacturers to command high margins for the consumables, chargers and add-ons you have to buy to keep using the stuff you already own. He then explained that the real danger comes as soon as you design a computer to thwart its owner’s desires. This then sets in motion a set of security, policy and technology decisions that ends with spyware shipping out of the box on every device.
Missed a session? Have no fear. Your ticket includes keynotes and track sessions — not just those you saw live! Gartner Events On Demand provides streaming access of recorded presentations to all paid attendees for one year. Watch your favorites again and see those you missed from any Web-connected device. Visit gartnereventsondemand.com.
Customizable post-event worksheetTake a moment to complete your own post-event trip report, a valuable resource for future reference and a great way to share with colleagues what you learned. Click here to access the trip report worksheet.
Learn more with relevant researchWant to learn more about the topics that interest you most? Turn to the end of each session presentation for a list of related Gartner research notes. Select Gartner research is available on demand at gartner.com.
“ This conference is a great venue for meeting cyberpractitioners from various sectors and comparing experiences.”Sherrill Nicely, CISO, CIA
Gartner Security & Risk Management Summit 2015 July 13 – 15 | Tokyo, Japan
Gartner Security & Risk Management Summit 2015 August 24 – 25 | Sydney, Australia
