page 1
page 2
page 3
page 4
page 5
page 6
page 7
page 8
page 9
page 10
page 11
page 12
page 13
page 14
page 15
page 16

9 4 TRACK 4: Leading the Security and Risk Management Team Through Turbulent Times How do you align security and risk management with the business? How do you get staff to comply with policy? How do you articulate the business value of security? How do you balance the budget? Leading the information security or risk management function is a special responsibility, requiring a mix of technical, political and social skills. Register Now and builder your agenda at europe. gartner. com/ security Transforming from CISO to IT CRO As enterprises reform their compliance efforts from reactionary to risk- oriented, chief information security offi cers ( CISOs) and other IT risk management and security professionals will need to follow along or will fi nd themselves deemed as irrelevant to the business. However, CISOs who develop competencies in enterprise risk management ( ERM) and business analysis will be able to align IT risk management with business performance - for the benefi t of both. . What are the relationships between IT security, IT risk management and enterprise risk management? . How will business risks be better managed if IT security professionals play a direct role in enterprise risk management? . What are the skills and process disciplines needed for IT security professionals to contribute to the enterprise risk management program? French Caldwell, Gartner Know IT Security? Prove It! Developing Your Career With the Right Security Qualifi cation In times when even venerable IT security jobs may be at risk, you need a little bit extra that makes you stand out from the crowd. Having a security certifi cation can help, but it can also pigeon hole you in terms of your perceived skills. When just about everyone has some certifi cate, what can you do to make sure you have the right one? . What are the benefi ts of personal certifi cations that exist today? . How do training, exam, peer review and continuous education infl uence the value of certifi cation? . What skills and certifi cations should an employer look for when optimizing the team structure? Carsten Casper, Gartner Report to the Board: Five Practical Tips to Link Risk and Security to Corporate Performance A board wants to know that the organization is appropriately protected against reasonably anticipated risk. CIOs, CISOs and RMOs struggle to link risk management efforts in security, privacy, business continuity and compliance to the value they provide at line-of- business and executive levels. A handful of companies have fi gured it out and these fi ve practical tips can help you solve this challenge. . What do boards of directors and line-of- business executives want from risk management, GRC and security? . How do you map key risk indicators into key performance indicators to support corporate performance? . How can you present a defensible case for the value and effectiveness of risk management to executive audiences? Christian Byrnes, Gartner Integrating Security Management Into ITIL v3 Strategies: Case Study and Best Practices Version 3 of ITIL takes a life cycle view of service management, as opposed to the functional approach of previous versions. While this is a major improvement in approach, it does have major practical implications on IT security, risk and compliance strategies. This presentation will look at: . What's new in ITIL v3, and how it impacts security management strategies . A case study of how a multinational organization has integrated its security and risk management program into its ITIL v3 program . Best practices in using ITIL v3 to align security and service management strategies. Tom Scholtz, Gartner Gartner Workshop Session: Security Maturity Self Assessment Assessing the maturity of security management processes is the foundation of continuous improvement in security performance. Consistent reporting on process maturity supports increased executive awareness and support. Furthermore, process maturity can also be interpreted as an indicator of the risk posture of the organization. . How should organizations defi ne a security and risk process catalog? . What are the steps for formalizing security processes? ( Audience Limited to 40 - 1hr30minute session) Christian Byrnes, Paul Proctor, Gartner The Risk Program Maturity Benchmark: How Does Your Organization Stack Up? Gartner has surveyed several hundred organizations, in different geographies and verticals, and of different sizes across 12 dimensions of program maturity. Come to this presentation to fi nd out how you compare. Paul Proctor, Gartner No More Dr No: A Framework for Positive Information Security Management Security controls are inherently restrictive, and consequently the nickname of many organizations information risk and security management is " Dr No." However, there are a number of governance, process, cultural and technological actions that information security leaders can implement to align their programs closer to business strategies. . The symptoms, causes and consequences . The governance, process, cultural and technical characteristics of a business-aligned security practice. Tom Scholtz, Gartner

10 Register today at europe. gartner. com/ security The Gartner Best Practice Council Panel Discussion: Meeting the Business Half Way Safeguarding information in a corporate IT environment - a ' consumer- centric' arena of changing threats - requires an agile and responsive approach from the security team. In this interactive debate, hear how a number of leading-edge organization's have approached this essential are in terms of strategy, governance and communications. Richard Barber, IT Security Strategy & Risk Manager, British American Tobacco Ian Mason, Gartner Best Practices Councils EMEA Casimiro Juanes, Head of IT Security, Ericsson Paul Jervis, CISO, RWE nPower Instituting an IT Risk Reporting and Management Framework at Euroclear Gaining management acceptance was positively affected by linking risk to specifi c IT processes - Euroclear created a consistent framework containing fl exible reporting. . Addressing risk and reporting at the strategic, operational and tactical levels . Ensuring clear reporting to enhance acceptance and understanding. Olivier Nijland, IT Risk Manager, Euroclear Using DLP to Prevent Misuse of Confi dential Information Banc Sabadell Group will present their experience of selection and implementing a solution in this fi eld. . What to do before deploying a DLP solution . Measuring our success in help detect, monitor and prevent misuse of data . Best practices for formulating the correct process. Santiago Minguito, Information Security Manager, Banc Sabadell Group A Practical Integration of ISO 27001 and ISO 27005 for Superior Security Management The case study illustrates how an organization with many varying lines of business can defi ne and link together in a practical way . A common mandatory guideline and baseline for information security based on ISO 27001 . A mandatory information classifi cation model . A information security risk assessment process based on ISO 27005. Jan A Svensson, Director Information Security, City of Göteborg Implementing Network Access Control for the Swiss Federal Railways This session will highlight the common threats for large enterprise networks and how a Network Access Control ( NAC) solution can help minimize the risk. The focus will be on evaluating and implementing a NAC-Solution in a large and heterogeneous environment: . Key points to consider when evaluating a NAC- Solution . Overview of the solution chosen by the Swiss Federal Railways . Sharing our hands- on experience in implementing NAC Alexander Hermann, Security Project Manager, Swiss Federal Railways Advanced Security Practice Workshop: Risk Management - for the Advanced Information Security Practitioner This workshop will begin with a bottom up view from within IT of the current state of IT risk management. We will move forward by taking a look at the risk landscape facing all organizations. This will highlight the gaps that are all too often present between where organizations are and where they need to be. We will go on to explore the resources readily available to organizations to enable them to close the gaps and effectively manage IT risks. Roger Southgate, Leader, London CobiT Development Group and President, IT Governance Standards, ISACA Security Essentials for the 21st Century: Security Leaders not just Managers Your professional development objectives should ensure you learn how to move from ' pushing' employees toward security objectives, to leading and taking them with you. . Becoming a true leader drawing employees toward security goals . Securely enabling the organization in an inherently insecure environment . Moving from technology focus to ' soft skill' people focus Jim Heard, Information Security Manager, Centrica Energy End- User Case Studies The case studies bring practitioners' own experiences at leading organizations from a variety of industries and countries to the event. They demonstrate the challenges, adopted solutions, chosen processes, and resulting benefi ts that you can apply to your own environment. Best practice examples and real- world know- how showing you what you want to do - and what to avoid. Register Now and builder your agenda at europe. gartner. com/ security