This orientation session is designed exclusively for CISO Circle attendees to help make Security & Risk Summit the most productive experience. Tatiana Wells, Senior Director, Gartner Events will provide many tips on how to navigate your way through the exclusive CISO Circle Program as well as the overall conference. Topics will include workshops, CISO luncheons and additional CISO-exclusive sessions, CIO networking and much more with plenty of time for Q&A.
Using the Senate Testimony of former Equifax CEO Richard Smith, Gartner presents a timeline of events and a current analysis of factors that put senior non-IT executives at risk following a cybersecurity event. Learn how defensibility and corporate culture are key attributes when developing a cybersecurity program that balances the needs to protect with the needs to run your business.
Do you need to raise the profile of security in your organisation? Do your key stakeholders know the value the security team can bring? Many security leaders feel their reach is limited and their opportunities to speak with the Board and senior leaders are often reactive. Reaching beyond compliance to establishing true trusted relationships, this accelerated profile building session will take you through a practical steps to increase your profile and your authority within your organization through actions you can take today. Even if you feel your profile within your business is positive and broad, there are always new tips and advice to take away.
A one-page cybersecurity strategy has been the goal for CISOs forever and the effort always falls short. They are too technical and don’t resonate with the business people， or are so “soft，” technical staff doesn’t know what to do with it. Join us for this engaging workshop on how to craft a simple， easy to use one page strategy to propel your program to success. PLEASE NOTE: For end-users only. Pre-registration is required.
Following her morning keynote address, members of the CISO Circle will have the opportunity to meet with Katie Moussouris in an exclusive session and ask questions that are top of mind for them.
Your opportunity to engage with the Keynote presenters, ask questions that are top of your mind, and network with your peers.
It is now common practice， and in certain cases mandated by regulation， for a board of directors to require periodic reporting and event-based updates on the state of security and risk management in an enterprise. Developing and communicating an effective message that balances the need to protect with the need to run your business is critical to success. However， in many cases， Security and Risk Leaders are left frustrated and/or unable to answer elementary questions that the Board asks. This presentation will discuss: What is the role of the board and what do they care about? What are some of the most common questions that Board Members Ask? (and a talk track for these questions). How can Security and Risk Leaders flip the conversation to educate the Board on issues that they need to know about?
Metrics should inform better decision making. “Business alignment” is spoken about frequently, but execution is challenging throughout the Gartner client base. Key risk indicators (KRIs) should have defensible causal relationships to business impacts and present leading indicators to decision makers. Gartner has developed a methodology to integrate risk and corporate performance that helps achieve these goals.
Most CEOs are excellent problem solvers, but too often CISO’s seek approval rather than enable their CEO’s to participate in the decision making process. This causes disengagement, and is at the root of many of the challenges CISOs and IT leaders face. CISO’s need to use different tools to get their CEO to the table and keep them engaged so that they value the outcome of the decisions we ask for.
Your opportunity to engage with the Keynote presenters, ask questions that are top of your mind, and network with your peers.
The benefits of information and cybersecurity must be translated into business terminology. This presentation describes proven methods for linking the security to business value. What are proven strategies for obtaining business support? What is a practical model for communicating the value of a security program? What techniques can be used to for justifying security projects?
"Top" trends highlight ongoing strategic shifts in the security ecosystem that aren’t yet widely recognized， but are expected to have broad industry impact and significant potential for disruption. This presentation will describe the most significant trends in cybersecurity and how leading organizations are taking advantage of these trends: Top technological improvements in the security product landscape; trends in creating a top notch security organization; strategic trends that will influence security strategy.
Digital transformation continues to challenge the conventions of information risk and security management. It requires a coherent digital security program based on a clear vision and strategy. This presentation will: Share a compelling vision for security and risk management. Identify the key "digital differences" that must be integrated into the security program.
The biggest challenge for Security and Risk leaders is how to communicate， more effectively， with a range of stakeholders. Stop using acronyms， jargon and technobabble and get more traction， align with business goals， and be viewed as a strategic leader. What are the benefits of better communication? What are the top causes of miscommunication? How can Security and Risk leaders be more effective risk communicators?
Security and risk management leaders have struggled to hire and retain staff with the right skills， especially since the inception of digital business. Leaders have begun to accept the shortage of skills as a reality and continue to look for ways to manage this reality. In this presentation， we will discuss the outlook for security talent in digital businesses and address the following questions: What can you do to ensure your team’s skill sets are developed for a digital world? What does the future of talent look like with technologies such as machine learning ， blockchain and IoT looming? What are some of the emerging roles that leaders should plan for as organizations transform their digital businesses?
- How can organizations stay ahead of the curve and ensure that they are able to manage the risk of participating in a digital ecosystem?
There is no such thing as a perfect， universally appropriate model for security organizations. Every enterprise must develop its own model， taking into consideration basic principles， practical realities and the challenges of digital transformation. This presentation will address the following key issues: What are the trends and challenges in security organization design? What are the factors that influence security organization? What are the current best practices and contemporary conceptual design models for security organization?
Privacy has come to be acknowledged as a fundamental human right, worldwide. Increasing regulatory pressure to enhance control over personal data affects how we look at our analytic activities, customer’s rights and the CX, project development and outsourcing activities. Organizations need to establish a risk-based approach to handle personal data to mature privacy protection and deliver customer trust and satisfaction.
Nation state intrusions targeting organisations of all sizes and multiple verticals. This session will dig into this topic and provide pragmatic guidance on the issue and what you do to address this in your own security program.
Against the backdrop of an uncertain future， organizations that have the ability to change rapidly will have a leg up. Yet conventional wisdom is that change is hard， especially culture change — especially in regard to understanding and managing risk. Getting this right can be a source of long-term competitive advantage.
This session provides an overview on the state of risk management planning， decisions， challenges， and solutions. This expands on the "State of Risk Management" from previous outlooks. In 2019， this outlook will converge three parallel risk conversations — digital transformation， information risk， building and maintaining resilient organizations.
Effective cybersecurity is predicated on a defensible program. This presentation introduces and discusses the characteristics of a defensible security program. What are the components of a cybersecurity program? What makes the program defensible to key stakeholders?
Almost 50% of CIOs indicate that culture is the biggest barrier to digital business success. Culture is one of five major imperatives of ContinuousNext, a strategy to converge IT with its organization. A risk-aware culture ensures that the protection of that convergence is a priority. This presentation introduces ContinousNext, risk culture fundamentals, and actions to ensure risk-aware culture.
How much risk is too much? Let’s manage our risk appetite! Sounds easy， but most CISOs don’t know what their enterprise or cybersecurity risk appetite is. Join us on a trip to effective and efficient risk management. What is risk appetite and why you need to know yours? Best practices for having risk appetite discussions. What does a good cybersecurity risk appetite statement look like?
To better address the needs of global CEOs and senior executives, end-user organizations are shifting focus away from governance, risk and compliance (GRC) to IRM solutions. This session will provide the study and result of Gartner's evaluation of the integrated risk management solutions market.
Digital business is forcing changes in the focus, direction and currency for organizations. It is even changing what leaders believe is the management of risk. This presentation describes those changes, their impacts and your options in evolving current risk process — or allowing its extinction in favor of something new.
Vendor risk management isn’t just required in highly regulated industries， it’s good practice in all industries. But today’s approaches are mired in lengthy and complex assessment surveys that span a variety of threats and risks. This session will discuss how to improve and enhance your model for managing vendor risks. Why is vendor risk management important now? What are the current best practices in a vendor risk management life cycle? How can we improve the efficiency and value of our vendor risk management programs?
Buyers are increasingly adding incident response services， but fewer are adding breach response services. These are distinct offerings， but often confused as being the same service. In this session for Security and Risk management leaders， we explain the differences between the services， the questions to consider when determining if you need one or both， and the provider landscape for these services.
Security and Risk Management Leaders should implement or improve upon these Top 10 security projects in 2019. Any security project must be supported by technology, address the changing needs of cybersecurity and reduce risk by adopting a CARTA strategic approach with all security projects.
Cloud security remains a top priority. This presentation summarizes the problems， recommended processes， and new product types to address three key issues: What are the unique risks associated with public cloud service providers， and how can they be controlled? What are the unique security challenges of IaaS and how can they be mitigated? What are the unique control challenges of SaaS， and how can they be addressed?
Unified endpoint management — bringing together enterprise mobile and non-mobile platform management and security — is one of the hottest topics in enterprise IT. The vendor landscape is changing quickly. We present the 2018 Magic Quadrant and Critical Capabilities in this presentation.
In the second iteration of Gartner’s Magic Quadrant for cloud access security brokers， new vendors were evaluated and several vendors changed positions. We also published a companion Critical Capabilities note. This session will discuss: What are the changes this year? What is the current state of the market? What is the best way to determine which vendors meet your requirements?
The secure web gateway marketplace continues to be dominated by appliances; however, the rapid growth of cloud services is becoming a disruptive force in the marketplace. Many vendors have added cloud access security broker functionality through partnerships or technology acquisitions. This session will review the SWG magic quadrant and critical capabilities research and discuss the major market trends.
Application security testing is challenged by the pace and complexity of application development. In this session, we will cover how application security testing technologies and offerings might advance in the coming years to meet the demands of digital business.
Endpoints security challenges are rising to new levels of complexity as the definition blurs across clouds， BYO， workstations， mobile， wearable， “things” and pure software. This session will address: How are endpoint security risks expanding? What are the primary attack trends that will influence the strategic requirements for endpoint security? Which technologies and practices will protect endpoints in 2025?
Security and risk management leaders need to develop security strategies that treat data as a pervasive asset (and liability). New data privacy laws and the continued growth of data breaches are increasing business risks. Data security governance is an emerging risk-based framework that will help plan and orchestrate policies across data security products that are siloed and do not integrate.
Organizations are experimenting with artificial intelligence in security. As evaluation procedures mature， the first disillusions happen. This session will review the state of AI and machine learning usage in various security and risk management areas， and give recommendations to: Navigate towards AI marketing. Define evaluation principle for solutions adding new algorithmic approaches to existing security fields. Prepare to avoid or minimize the backlash when results are not up to expectations.
IT buyers just want to fix today’s problems. But it’s time for you to think like an investor， and not get burned over the next technology shift. What are the steps Security and Risk leaders must follow to build a strategic security roadmap， using Gartner’s Hype Cycle and other predictors? How to assess time for new partnerships based on long- and short-term behavior of vendors? How do security vendors influence your business integrity?
At a minimum， cloud computing breaks into 3 primary layers: SaaS， PaaS and IaaS. This presentation will explain the 3 primary security controls for each of these layers: CASB， CSPM and CWPP respectively. In each section， we’ll explore selection criteria and examples of vendors for each solution category.
Modern security operations are evolving. They heavily rely on foundational technologies such as SIEM to accomplish their mission， and also adopt various analytics approaches. They struggle with more automation — of both thinking and acting — that promises to relieve humans from the routine tasks， but sometimes adding more work to the overworked security teams. This session will address these key issues: What defines best-in-class security operations of 2018? What trends are affecting security operations? What will the future bring?
Using a service provider to help manage SIEM operations can be an effective way for security and risk leaders to make best use of limited resources and improve the security monitoring and response program. In this session， we identify 3 elements to make sure to include in a contract with a service provider， and how to overcome the provider’s objections to them. We’ll address: Defining responsibilities in a co-managed SIEM relationship; understanding service provider concerns and push back; setting up mechanisms to monitor and adjust the relationship
Earlier this year， Gartner published updated guidance on how to better run this foundational security process. This presentation will go over this new way of doing vulnerability more effectively. Why Gartner made some significant changes to guidance on this critical process? What does the new RBVM actually look like? How to bring this to life inside your own security programs.
Mitre’s ATT&CK framework， while relatively new， is gaining traction in many security operations teams around the world. This session will be part introduction to the ATT&CK framework， pros and cons， use cases for it， that might not have been heard using Gartner CARTA framework where applicable. What is this framework about? How is it applicable in security operations and how it relates to Gartner CARTA framework? What you can do with a framework like this in your security operations program?
Security and risk management leaders should select application security testing (AST) tools and services and embed them in the SDLC as a critical component of an application security program. In this session, we will illustrate the market and main vendors in the AST space.
SIEM solutions continue to evolve to address a variety of persistent challenges — how to keep up with changing external and internal threats; increases in the volume, velocity and variety of data sources; and how to effectively implement, manage and use the solutions as expertise and resources become more constrained. New entrants have emerged from the UEBA space, and primarily emphasize a user-based approach to monitoring for threats, compared to the more traditional approach of event-based monitoring oriented around IP addresses and hostnames.
SIEM technologies are also adopting more advanced incident response capabilities through the addition (either natively, via acquisition or via integrations) of functions that add SOAR capabilities. Organizations looking to shorten the deployment cycle and transfer responsibility for managing a SIEM tool's platform are leveraging SaaS or hosted SIEM solution options.
Good information security hygiene is a must， but many organizations lose focus on getting the basics right， leading to an unjustified level of confidence in risk posture. Join us and learn: What are the key activities， capabilities and practices for organizations? What are the activities that you can delay or even skip entirely? Why doing the basics is more important than ever.
Like AI before it, quantum computing and related quantum technologies like quantum key exchange, quantum random number generation and homomorphic encryption are poised to make huge changes to the technology landscape as they mature. What are the important quantum computing technologies that will impact your business? How will long established security tools like RSA change?
As more security vendors target your hybrid and cloud SaaS, IaaS and PaaS solutions， we are getting lost in too many acronyms. This session will help decipher the acronym soup and provide prescriptive guidance on what your organization needs to protect your cloud infrastructure and applications. We will also discuss best practices on implementations and how to evaluate and build a shortlist for your vendor selections.
The rapid adoption of SaaS applications such as Microsoft’s O365, Salesforce and others is driving enterprises to rearchitect their networks, so that remote offices can achieve direct internet access with SD-WAN and other techniques. Enterprises will be purchasing more cloud-based security services and fewer appliances. Here, we will highlight best practices that enable a smooth transition to the adoption of cloud-based security services.
This presentation presents a structured approach to plan， establish and efficiently operate a modern SOC. Gartner clients with successful SOCs put the premium on people rather than process and technology. People and process overshadow technology as predictors for SOC success or failure. Do I need a SOC and can I afford it? Where can I rely on automation and where do I need to outsource or delegate? Can SOAR tools really automate my SOC?
This session will discuss the advanced security features included in the M365 E5 license suite. We will also discuss licensing then dive into advanced data protection, email protection, conditional access，Azure AD premium P2 and all of the other advanced features. Then we will compare and discuss use cases where third-party solutions can be integrated and if they are required.
How do you start building a cloud security architecture? Do you use business needs and context to guide the selection of logical controls? What cloud provider native and third-party vendor security are available as security components? This session presents steps to construct cloud security architecture while aligning with required best practices, frameworks and standards.
The increased use of AI in security has not gone unnoticed by attackers. In this session， we explore the attacker’s perspective on machine learning， covering adversarial as well as nefarious ML: How attackers may attack security solutions based on ML at training and at prediction stages. How ML may accelerate innovation in attacker techniques.
In a world of cloud, does infrastructure security matter? As organizations move more services to the cloud, the problem shifts to managing user access, and data. Attend this session to learn about emerging trends on the convergence of cloud, identity and data security, as well as best practices regarding cloud security, that you can leverage now.
Cloud native applications rely heavily on containers and serverless functions to build out event-driven, microservices based application architectures. Legacy on-premises security patterns won't work and won't scale for the needs of cloud native applications. This presentation will discuss the security patterns and best practices for securing cloud-native applications, including container security.