Monthly Archives: September 2013

What not to say at a security conference

It’s Thursday afternoon.  The guest speaker is talking about how his company rolled out a global cyber security training and awareness programme.  He opened up a live session.  He showed us the site.

In a browser.  On a shared presenters’ laptop.

Which asked him if he wanted to save his password.

And he said yes.

The audience groaned, but I don’t think the poor lad understood what had gone wrong.

If only he wasn’t a cyber security traininer.


Gartner Conference

Another Gartner conference



Event Agenda Gartner Security & Risk Management Summit – SEC14IRequested

T1: Tutorial: Preparing a Security Strategic Plan

Speaker: F. Christian Byrnes

The Gartner five year security and risk scenario provides a target for where your security and risk program should be in 2018. This presentation explains how to create a strategic plan that can egt you there.

T2: Tutorial: Top Security Trends and Take-Aways for 2013 and 2014

Speaker: Carsten Casper

With the Nexus of Forces driving continuing trends in cloud,  consumerization, mobility andbig data, the way IT is delivered is changing.   Each change brings new threats and breaks old security processes.This session reveiws the hot trends in Security for 2013 and beyond while providing a roadmap to the summit and relevant Gartner Research.

SS1: 60 Seconds or Bust: Summit Solution Snapshots

Speaker: Ant Allan

P1: Summit Chair Welcome and Gartner Keynote: Reset

Speakers: Carsten Casper, F. Christian Byrnes, Paul E. Proctor, John A. Wheeler

Security and risk professionals are always evolving their approach to address new realities in business and the threat environment. Our trajectory and anticipated future challenges are demanding another reset to your approach. A reset that creates and sustains significant security and risk benefits to your organization and your career. Why? Threats are increasing, urgency for growth is increasing – yet budgets are not. As security and risk leaders, you know the right things to do, now is it time to ensure that the organization does them consistently as well. 2013 is the year security and risk management leaders must execute.

SS2: 60 Seconds or Bust: Summit Solution Snapshots

Speaker: Rob McMillan

P2: Industry Panel

Speakers: Dionisio Zumerle, Richard Nichols, Dean Darwin, Rik Ferguson

Industry panel, moderated by Dionisio Zumerle and with Richard Nichols, EMC,

Dean Darwin, F5 Networks, and Rik Ferguson, Trend Micro.

P3: Guest Keynote: The Struggle for the Internet: Crime, Communication and Espionage

Speaker: Misha Glenny

Criminal and subversive activity on the Internet is on the increase. Notwithstanding, the rapidly expanding investment in ‘digital solutions’ to security problems, the cost of attacks to businesses and society are increasing every year as the size of the global online community continues to rise exponentially, especially in Latin America, Africa and Asia. There are three major areas where we remain vulnerable. First, there is the continuing failure of cyber security professionals to develop a convincing narrative that can promote the importance of cyber security; second, there is the ingenuity of cyber criminals and ‘hactivists’ themselves; finally, we now have to recognize that security and intelligence services are now playing an ever greater role in the world of Black Code. Using his unique blend of video, sound and his own writing, including interviews with cyber criminals and intelligence professionals, Misha points to ways that help businesses and individuals to survive the increasingly perilous cyber environment.

VT1 : SAP: The Mobile App is the New Endpoint

Speaker: Milja Gillespie

Today’s new mobile devices and BYOD environments cause IT organizations to struggle to meet strict security requirements. To exploit the power of mobile devices means securing the apps that run on them. Attend this session to learn how to add end-point security by wrapping policies around individual mobile apps.

VT3 : Intrinsic-ID: Intrinsic-ID: Saturnus: Secure Cloud Storage and Sharing for Your Company

Saturnus is a data encryption and cloud storage application aiming at easy and secure availability and exchange of data, even for heavily regulated businesses. Encryption keys are stored in a physical token and are generated with strongest randomness. Finally, it provides tracking information about data access and exchange of employees.

W1: Workshop: Getting Value out of IT Security and Risk Metrics Programs (Reserved for end-users only, pre-registration required.)

Speaker: Ramon Krikken

Security and risk metrics are subjects of neverending discussions. In this analyst-led, collaborative workshop we will review a practical approach to developing security and risk metrics, and then break into small groups to develop an example metrics list, metrics dashboard, and/or metrics program plan. The results will then be socialized with the whole group, so that all participants can use this knowledge in developing or enhancing their metrics programs.


A1: Context-Aware Security: Security In a World Where You Don’t Control Anything

Speaker: Neil MacDonald

Multiple simultaneous trends are forcing a fundamental rethinking of information security. Mobilization, consumerization, collaboration, virtualization and the shift to Cloud computing break existing information security paradigms. A new approach is needed. This presentation will explore context-aware security controls and platforms and how these will help organizations embrace and business demands for consumer devices and cloud-based computing.

AUR1: Roundtable: Establishing and Communicating Risk Appetite and Tolerance Levels (Reserved for end-users only, pre-registration requi …

Speaker: Mario de Boer

Risk appetite and risk tolerance are two key concepts in IT risk and security management. Although their importance is evident, many organizations struggle with expressing these levels such that they can be used in risk assessments and business decisions. Discuss best practices with your peers during this interactive round table discussion.

B1: GRC 4G: How Social, Big Data and Risk Analytics Are Changing GRC

Speaker: French Caldwell

GRC vendors have a lot of catching up to do. Most vendors have yet to offer effective 3rd generation GRC, which focuses on performance, much less apply 4th generation GRC which focuses on decision making.  However, risk managers can help push the envelop on what will be within the art of the possible for the 4th generation of GRC.

C1: Using Managed Containers to Protect Information on Mobile Devices

Speaker: Eric Maiwald

Managed containers are a mechanism to protect enterprise information on the mobile device while separating it from employee data. Enterprises should consider container technology but there are downsides. This talk will show how containers can be used to meet enterprise needs and how enterprises can benefit from the technology.

D1: Enabling Mobility Securely By Protecting Applications on Mobile Devices

Speaker: Dionisio Zumerle

Organizations are implementing ways to protect mobile devices and mobile applications residing on mobile devices. Enabling applications on corporate or employee-owned devices is a major mobile security issue.

The presentation will talk about the major trends in mobile application security, and the most effective solutions to adopt.


E1: Managing Global Recovery and Continuity Risk

Speaker: Roberta J. Witty

The challenge of orchestrating efficient, effective and sustainable business continuity across a global organization requires addressing difficult people, process and technology issues.  This session will discuss how to develop the structures and procedures to reduce operating risk across different geographies, time zones and operating cultures.

  • 14:00 Wednesday 18 September

V3 : Trend Micro: Cyber Crime Outliers: Professionals Improving their Craft?

Speaker: JD Sherry

What impact will the rapid growth of threat intelligence data and analysis capability have on the cyber security arms race and how are cyber criminals changing their tactics in light of advancing security solutions like sandboxing and network traffic analysis?

V1 : EMC: Intelligence Driven Security – A New Approach

Speaker: Rashmi Knowles

Government agencies and prominent corporations have succumbed to stealthy, tailored cyber attacks designed to exploit vulnerabilities, disrupt operations and steal information.  Current systems fail to stop or sense the presence of an attack. A new approach is required to gain visibility, agility and speed to deal with threats.

V4 : AirWatch: How to Secure the Next Phase of Mobility

Speaker: Adrian Dumbleton

Enterprise mobility continues to evolve as end users access corporate data through content collaboration tools, applications, email and web browsing on smartphones, tablets, laptops and peripherals.

Adrian Dumbleton, UK Mobility Market Lead at AirWatch, discusses the converging mobile landscape and strategies to empower the workforce with secure enterprise mobility management.

V5 : HID Global : Beyond Passwords : Cloud and BYOD Security Best Practices

Speaker: Ian Lowe

Where do you stand on cloud and BYOD adoption in your organization? Over 50% of employees purchase personal smartphones and tablets based on if they can be used for work purposes.  This session outlines best practices for enabling secure access to cloud applications and a BYOD customer case study.


V2 : F5 Networks: Control the Application, Control the World…

Speaker: Gary Newe

HTTP is the new TCP and applications are the centre of everyone’s business, but we’re still vulnerable to attacks. Recent news reports are filled with DNS attacks, Web Attacks resulting in DOS, defacement, and stolen user details. Join us to review recent Application Security threats and discuss mitigation options.

AUR2: Roundtable: BYOD and mobile security (Reserved for end-users only, pre-registration required.)

Speaker: Dionisio Zumerle

Enterprise mobile security is on top of the agendas for organizations. Mobile devices, and mobile applications residing on smartphones and tablets, must be secured. This roundtable will enable a discussion of planned and successful efforts and ideas between industry peers,  to provide data and applications for the mobile workforce.

W2: Workshop: So You Have A New Content-Aware Data Loss Prevention Solution… Now What? (Reserved for end-users only, pre-registration …

Speaker: Eric Ouellet

While DLP is quickly becoming part of the standard of due care for various industries (Finance, Insurance, Healthcare, Manufacturing & Design), it is still a very misunderstood technology in terms what it can and should be used for. This session will look at the best approaches for implementing a new DLP solution and get you from Zero to very useful.

A2: Case Study Presentation: Facing Your Mobile Monsters in the Dark Closet of Social Networks

Speaker: Boris Goncharov

In 2013 the information security society looked through the “PRISM” and saw the disturbing images of Life as a Service reality. Reality of a fading security boundaries, countless risks, uncertainty and fear; born from the union of mobile technology and social networks.

This presentation will try to bring more intimate knowledge about this “Reality” and to provide some key suggestions how to cope with it, including:


∙ How to define and establish mobile device & social networking governance model

∙ How to define adequate risk assessment approach

∙ How to write meaningful BYOD & AUP policies

∙ How to develop security controls specification

∙ How to define assurance and evaluation framework(including penetration testing methods & requirements)

B2: Case Study Presentation: Corporate Intelligence: The Evolution of Real Time Risk Management and Intelligence in Security

Speaker: Isabel María Gómez González

During this presentation, Isabel will share her view of the new challenges of global risk management, and discuss the new threats that Bankia has had to confront in real time, and how a new global methodology was born taking into consideration all the new environmental factors, like political changes, legal environment, economic environment or new regulations. Isabel will also examine how to make managerial decision-making easier through improved information provision; how to replace “we think that” (opinion) with “the data indicates that” (facts); and how to reduce ISMS management workload by 67%.


Attendees to this presentation will take away a clear explanation of the main targets of the project that Bankia faced in achieving corporate intelligence, the things that they would change if they could turn back time, and how Bankia have developed a neutral tool based on the new methodology, how they work and what they have achieved, and what their plans are for the future.

E2: Case Study Presentation: Business Continuity Best Practices in Natural Disasters: The Van Earthquake

Speaker: Mustafa Komut

During this presentation, Mustafa will explain how Vodafone were tasked to provide a public service by means  of  “communication” following the Van earthquake. He will discuss how the business continuity team coped in terms of business continuity, Information Services and Network Operations, emergency management & stakeholder communication. He will also explain how the Van Earthquake management case has helped them as an organisation to  develop guidelines to determine tasks/actions to be performed for further possible cases & improvement areas to develop their processes. He will provide analysis from the ‘post mortem’ analysis that they made following the incident, and the lessons learned that you could apply around your business continuity strategies within your organisation.

D2: Case Study Presentation: Risk Management: Is it Candy, a Bitter Pill or a Guiding Tool for Business?

Speaker: Osman Veysel Erdag

Risk Management and governance issues are generally seen as overhead and unnecessary by business units and operational units.

In order to change their attitude, IT Management should show the value of the risk management. However, classical GRC systems are neither user friendly nor considered ‘enough’ to add such value. In this presentation, details of a service-based risk management approach and “Risk in Transition” (risk of the services affecting other services) will be explained. Furthermore, the limitations of traditional GRC systems and the methods to overcome these limitations to represent IT services risks graphically, and how the relationships are created between services will be defined based on experiences.

MQ1: Magic Quadrant: Application Security Testing

Speaker: Neil MacDonald

The security information and event management magic quadrant evaluates vendors that provide security monitoring for threat detection and compliance reporting.

W3: Workshop: Meeting Business Needs for Mobility and Security (Reserved for end-users only, pre-registration required.)

Speaker: Eric Maiwald

At the root of the mobile strategy is the information users need and for which risk of disclosure needs to be managed. BYOD adds another dimension to the problem. This workshop examines the conflicts and tradeoffs between security and other use case requirements along with decision logic to help navigate through them.

RT1 : EMC: Current State of Cybercrime 2013

Speaker: Nick Edwards

Cybercrime has become a sophisticated industry rivaling any legitimate competitive industry pursuing profitability through innovation, automation, commoditization and specialization. In 2012, phishing cost organizations over $1.5 billion. We will look at the threat landscape, how cybercriminals are changing the way they do business and the threats to mobile users.

V6 : Secunia: Complete Patch Management: The Antidote to Security and Operations’ Nightmares

Speakers: Marcelo Pereira, Raphael Perez

Known vulnerabilities continue to be exploited causing businesses significant losses. Though security specialists agree that security patching is the solution to these threats, few organizations succeed in implementing an effective strategy. Secunia invites you to discover “Complete Patch Management” and see it applied from a System Center 2012 user perspective.

V9 : Qualys: The Financial Conduct Authority (FCA): Overcoming the Defender’s Disadvantage

Speaker: Jules Gascoigne

As organisations rapidly adopt and expand technologies to meet changing business needs, they face the difficult challenge of keeping them secure and compliant, potentially handing an advantage to attackers. Learn how the FCA gains continuous visibility of security vulnerabilities using cloud security and compliance solutions to help fend off cyberattacks.

V8 : NetIQ: Identity Management – It’s Never “Just An Upgrade”.

Speakers: Kenny Ryder, Derek Gordon

With Identity Management previously utilised to drive efficiencies within IT, Standard Life understood the value that could be derived by evolving to a business-centric approach. In this session hear how Standard Life achieved role visibility across the organisation, enabling them to make informed decisions about access entitlements and reduce risk.

V7 : Wipro Technologies: Cyber Risk Management – A Comprehensive Approach

Speaker: Avinash Prasad

Enterprises today have to protect their critical assets  and deal with threats emanating from various sources to manage their cyber risks.

Effective Risk Management to address the threats from the cyber space demands a holistic ‘Risk based’ approach across the enterprise boundaries including IT, OT and Physical landscapes.

VT4 : General Dynamics Fidelis Cybersecurity Solutions: Put Malware In Its Place

Speaker: Tom Lyons

Advanced malware is making a mockery of network-based defenses. Threat actors deliver their exploits through a variety of protocols- not to mention the rapidly changing infrastructure for delivering these attacks that renders traditional defensive measures useless. Learn how multi-dimensional threat detection is key to keeping the bad guys out.

A3: To the Point: Transform Your Security and Risk Program or Find Another Job

Speaker: Paul E. Proctor

Only about 30% of IT Risk and security officers have truly risk-based programs. The other 70% continue to struggle with outdated security programs that are doomed to repeat the same failures. We have reached a tipping point where transformation is not just an option, but a requirement to keep your job.

B3: To the Point: The Risk Management Maturity Pathway

Speaker: Rob McMillan

Improving risk management maturity is fundamental to improving the cost-effectiveness and business alignment of the enterprise’s risk activities. Gartner’s ITScore for Risk Management is designed to help you achieve this.  Take a brief tour to see what maturity levels 1 through 4 look like, and where your organization may fit.

C3: To the Point: Why is your Organization at Greater Risk Now that it is Encrypting Sensitive data?

Speaker: Eric Ouellet

You organization has implemented encryption to protect your sensitive assets and has achieved a checkbox against an annoying requirement. Are you really better off than you were before? Or is the security blanket actually on fire?

D3: To the Point: Security Specialist Career Guide: Prosper, Survive or Leave

Speaker: Joseph Feiman

Cloud is a transformational phenomenon that changes our businesses and our IT organizations.  Will cloud transform IT workforce?  Will it threaten people’s job security?

E3: To the Point: The Business Continuity Management Planning Market In-Depth

Speaker: Roberta J. Witty

Organizations are realizing that managing recovery plans using office management software is not feasible. Some firms have over 1,000 plans; therfore automation is required. This session will present the BCMP software market magic quadrant and discuss best practices for implementing and using the tool for most effectiveness within the organization.

A4: To the Point: The Information Security Maturity Pathway

Speaker: Rob McMillan

Improving information security maturity is fundamental to improving the risk-effectiveness and business alignment of the enterprise’s security activities. Gartner’s ITScore for Information Security is designed to help you achieve this.  Take a brief tour to see what maturity levels 1 through 4 look like, and where your organization may fit.

RequestedB4: To the Point: Roadmap for Intelligent Information Governance

Speaker: Debra Logan

With the influx of types and volume of unstructured data, organizations are struggling on how to manage the governance and compliance issues associated with this data.  This session will review 1) the scope of the problem with all the unstructured “dark” data, 2) what the best policies are to implement to govern this data and 3) what technologies/tools are available to implement the policies

C4: To the Point: Identity and Access Management Gets Social

Speaker: Ant Allan

While the use of social login to simplify new customer registration and customer login is getting increasing attention from enterprises and IAM vendors, this may be the least impact that social has on enterprises’ IAM programs. This session explores how social will reset your IAM world and how IAM can evolve to meet the challenges and embrace the opportunities of social amid the Nexus of Forces.

D4: To the Point: Should you invest into Advanced Persistent Threat Detection Technologies?

Speaker: Jeremy D’Hoinne

For years CSO who have succumbed to the mermaid of 100% protection have been drowned by false positives and disillusions.

New technologies emerge and System emulation is the new black for security.

Let’s dive into the fundamentals of a good security strategies against APT to see if these new technologies have their place.


E4: To the Point: Presenting a Hard Target to Attackers – Operationally Effective Vulnerability Management

Speaker: Mark Nicolett

Today’s attackers are getting better at finding and exploiting security weaknesses. The first order of business is to present a hard target to the attacker. Vulnerability management needs to be extended to deal with emerging threats, and to accommodate the requirements of cloud services. This presentation provides advice on how to extend vulnerability management to meet new requirements.

A5: Top 10 Security Myths

Speaker: Jay Heiser

It is often said that ignorance is bliss–but only until the hack occurs.  This presentation will introduce some of the most common misconceptions about security, and conclude with best practices on how to improve your organization’s risk management culture.

AUR3: Roundtable: How Does BCM Fit Into the Enterprise Risk Management Program? (Reserved for end-users only, pre-registration required. …

Speaker: Roberta J. Witty

reporting management arrangement. This roundtable will allow conference participants to discuss what works and doesn’t work for their organizations in regards to integrating BCM into the organizational or enterprise risk management program.

B5: Ethics at the Nexus of Security, Privacy and Big Data

Speaker: Frank Buytendijk

If privacy were only as simple as following law and regulations. It is not. The “creepy line” is as fuzzy as it is real. The discussion about privacy, and beyond that, ethics, is dangerously absent in the world of big data. Organizations letting their big data technologies and analysts run amok and focus on opportunity only, run significant reputation risk.

C5: Forget MDM: Extending Security and Identity to Mobile Apps

Speaker: Ramon Krikken

Mobile brings up old and new security concerns. Three important elements of the application architecture —the platform, client-side application and back end—affect and are affected by security and other requirements. Understanding the most critical challenges and solutions around identity and security for each of these elements is the foundational knowledge from which to build mobile apps that are both secure and delightful to use.

CNC1: Clinic: Cloud Contracts: Developing Your Own Security and Risk Exhibits (Reserved for end-users only, pre-registration required.)

Speaker: Gayla Sullivan

This clinic will cover key areas to include as a part of a standard boilerplate exhibit that Security and Risk Management teams can share with Procurement/Vendor Management.  We will discuss key areas to include such as: Disaster recovery, audit rights, privacy, confidentiality, backup, SLAs and security requirements.



D5: Bring Your Own 4G: Are The Wireless Networks You Use For Business Secure?

Speaker: Dionisio Zumerle

When using wireless or mobile networks business users must have an understanding of where the risks lie for corporate data exposure.


Adopting some best practices to avoid these risks can be beneficial for the organization. Moreover, broadband wireless and mobile networks can empower mobile security solutions on top of the network.

E5: Cyber Security for the Internet of Everything

Speaker: Earl Perkins

The Internet is expanding to include connections not only to people but to machines: automobiles, buildings, power grids– millions of sensors and control systems, all needing protection.  How can enterprises that embrace the Internet of Everything (IoE) in their businesses prepare for threats to such systems?

A6: Cost, Consequence and Value: The Economics of IAM

Speaker: Earl Perkins

How do we measure the value of IAM? For many, justifying IAM has been elusive. It remains a horizontal concern in the vertical world of business services, something shared by all business functions but owned by none. How can an IAM project be reconciled with the budgets of business?

B6: Social Media Risk Management & Compliance Technologies

Speaker: Andrew Walls

Whether you want to filter content, capture business records or analyze messages for risk, there is a tool ro service that can help! This presentation will provide a pragmatic breakdown of the functions and capabilities of current vendor offerings for managing security and risk in public social media platforms.

C6: Practicing Safe SaaS

Speaker: Jay Heiser

Most enterprises continue to struggle with the appropriate use of SaaS, but for most organizations, ‘no’ is not the right answer.   Standards and practices for risk assessment and use continue to evolve, but gaps still remain. This presentation provides guidance on the creation of a SaaS usage profiles.

RequestedD6: Securing Private, Public and Hybrid Cloud Computing

Speaker: Neil MacDonald

Virtualization and the adoption of cloud computing models will force fundamental changes in information security infrastructure. This presentation will discuss best practices for securing virtualized data centers and how security strategies must change as this evolves to private cloud computing models and into hybrid private/public cloud computing environments.

E6: User Activity Monitoring for Early Breach Detection

Speaker: Mark Nicolett

Early detection of targeted attacks and security breaches has never been more important and more difficult to achieve. Your chances are vastly improved if your monitoring integrates security events with threat intelligence and context about your users, assets and applications. User activity monitoring is essential for the early detection of targeted attacks, and has also become part of the standard of due care for a variety of regulations across all industry segments. This presentation provides advice on how to deploy security monitoring technologies such as Security Information and Event Management (SIEM), for user activity and resource access monitoring

MQ2: Magic Quadrant: UTM and Enterprise Firewalls

Speaker: Jeremy D’Hoinne

Advances in threats have driven mainstream enterprise firewall demand for next-generation firewall capabilities. For small and midsize businesses, Unified threat management devices provide multiple network security functions in a single appliance. In both cases, buyers should focus on quality.

V10 : Sonatype: Securing the Software Supply Chain (@ Speed of Development)

Speaker: Wayne Jackson

Like manufacturing supply chains, today’s applications are assembled from thousands of components. Existing security approaches can’t keep up. The threat is real: component security was recently added to OWASP’s Top 10 web application vulnerabilities. Explore this new threat and approaches for securing the software supply chain while improving developer productivity.

V12 : FireEye: The Dirty Truth About Compromises

Speaker: Andy Henry

FireEye – 95% of companies have been compromised and don’t know it.  Andy Henry (Europe Incident Response lead for FireEye Labs) will share real field examples of how and why this is happening, most importantly what impact this can have on those exposed companies.

V13 : Kaspersky Lab: Mobile, Traditional, Virtual: Strategies for Securing Complex Infrastructures

Speaker: Dave Messett

Very few IT estates are simple these days. The explosion of mobile devices, integration with traditional equipment and applications, and the increasing use of virtual technologies leaves IT staff facing increasing complexity. This session looks at strategies for overcoming these challenges and ensuring the security of complex and varied infrastructures.

V11 : WhiteHat Security: Performing Continuous Application Security Testing

Speaker: Calvin Nguyen

WhiteHat Sentinel is the security platform designed to be the single source of record for continuous concurrent assessments for your applications. Sentinel – a cloud based solution – will assess, verify, and provide tools that will help you manage potential vulnerabilities across your software development life cycle (SDLC).

AUR4: Roundtable: Implementing Social Media Compliance and Avoiding the Ick Factor (Reserved for end users only, pre-registration requir …

Speaker: French Caldwell

Bring your concerns on the use and risks of social media and social analytics to this roundtable and learn from your peers how to improve social compliance and social risk management.


W4: Workshop: A Practical Workshop to Address Cyber Security (Reserved for end-users only, pre-registration required.)

Speakers: Doug Simmons, Serge Eaton

Cyber security is somewhat of a hype and has been blown-up by the media and industry to create a frenzy in implementing old tin with a new name. Share and explore with Gartner consultants, who have practical experience helping customers to embed SIEM and TVM technologies with SOC to achieve greater situational awareness. A well structured CIRT functions will bring it all home, with good procedures in risk scenario planning and incident management.

A7: To the Point: Facing Information Sprawl: Secure Synchronization of Data on Endpoints

Speaker: Mario de Boer

Organizations increasingly allow the use of multiple endpoints for business purposes. If no enterprise solution is provided, users are creative in synchronizing data to each of their devices, increasing information sprawl. Learn about the latest synchronization solutions, their security and deployment challenges.

B7: To the Point: Killing IT GRC

Speaker: Paul E. Proctor

Gartner killed the marketscope for IT GRC in 2012 and transformed the coverage of this technology. The drivers, products, and implementations all changed so this was inevitable. The core value of bridging IT to non-IT audiences remains but the new definition changes the landscape for vulnerability and security configuration management.

C7: To the Point: How To Evaluate A Security Consulting Service

Speaker: Rob McMillan

Clients occasionally seek advice about the “leading security consulting firms” in a particular geography. Many factors determine whether a firm is right for the task at hand. Clients must assess the capabilities of a consultant or firm by looking beyond the brand and the marketing hype to seek answers to critical questions.

D7: To the Point: Software-defined Networking and its Impact on Security

Speaker: Eric Maiwald

SDN is being discussed as the future for data center networking. SDN impacts more than just the network infrastructure equipment. It impacts how enterprises implement network security controls. This talk will show how SDN impacts network security and provides recommendations to properly implement security controls within an SDN.


E7: To the Point: BCM Grows Up: How a Nexus of Technologies is Moving BCM into the C-Suite

Speaker: Roberta J. Witty

There are a number of technologies that are making BCM a C-Suite topic because they provide management with an entirely new and complete picture of their organization. This session will discuss what these technologies are and how they can be used for expanded risk management and improved business and operaitonal resilience.


VT2 : Keep IT Secure 24: Why Traditional Penetration Testing Simply Isn’t Right for Your Business

Speaker: Rui Shantilal

The security landscape has been significantly changing, and the traditional penetration testing approach is therefore no longer providing an accurate view of your vulnerabilities. Join us to understand the limitations of the traditional approach and the benefit and impacts to your business of the persistent penetration testing model.

MQ3: Magic Quadrant: Mobile Data Protection

Speaker: Eric Ouellet

Mobile data protection products secure data on storage systems in notebooks and removable media, but also work on desktops and servers. Buyers want common protection policies across multiple platforms, minimal support costs and proof that data is protected.

AUR5: Roundtable: What are the Challenges and Best Practices for Organizing the Security Function (Reserved for end-users only, pre-regi …

Speaker: Tom Scholtz

Do you need a dedicated security team? If so, what should it look like? How many people do you need? Where does it report to?  Join your peers to discuss the pitfalls and lessons learnt in security organization.

W5: Workshop: What Do You Buy For the Users Who Have (Access to) Everything?(Reserved for end-users only, pre-registration required.)

Speaker: Ant Allan

Effectively managing privileged accounts – default administrator and other shared accounts, as well as personal accounts,  used by internal or external users – requires a fine balance between security, operational and business needs. In this workshop session, delegates will collaborate to identify the most challenging use cases, and work in groups to arrive at the most effective set of products and processes in each case.

A8: Case Study Presentation: Journey to BYOD & The Cloud: Happier users, Less-stressed IT staff and 70% Lower Costs

Speaker: Vlatka Toukalek

Over the past two decades IT evolved from business enabler under its own conditions (setting up the rules of the game) to the service that is expected to meet not only business but users’ demands now and here.  New technologies are easily built and extended and only forward-thinking IT organizations can keep the pace and promptly prepare “defense”. Today’s work force does not only have requirements and demands, they have expectations.


The case study shows how consumerization, BYOD and Cloud provided answers to challenges of the core business of a non-profit international organization with tight budget, traveling work force and operating all over the world, including the least developed countries.  It shows how the acceptable risk was determined, what were the challenges and lessons learnt.


The organization achieved 70% costs cut thanks to successful implementation of Cloud, BYOD and mobility initiatives, significantly improved its efficiency and users and customers satisfaction.

D8: Case Study Presentation: Not So Common Sense: A Secure Approach to Making Sense of Social Media

Speaker: Graham McKay

The majority of the DC Thomson workforce does not have a requirement to utilize social media as part of their role, but that wasn’t stopping them speaking about the organization or themselves on social media! As a non-regulated business, social media is not restricted in the workplace and the decision made to enable the workforce to use this medium whilst protecting the brands and reputation of the business. Graham will explain how they quickly discovered that people don’t really think before they post, which led into some difficult areas. He will explain how they therefore took the workforce through awareness that not only showed them how to use the tools, but also how the data they post could be used negatively against them and the organization. The awareness and training focused on their personal information, and was not necessarily work based. Graham will aim to illustrate the information and techniques that were used to demonstrate how the attitudes to social media have changed.

C8: Case Study Presentation: Security Awareness Programmes – Depressing or Refreshing?

Speaker: Stephen Kerslake

During this presentation, Stephen will explain how Virgin Media have invigorated their security awareness training for all of their employees, making it compulsory for anyone having access to the company’s assets. The presentation will include an online demonstration of how this introductory training is both administered and supported, and Stephen will outline the steps along the way, lessons learned and plans for the future.


B8: Case Study Presentation: Protecting Your Corporate Intellectual Assets through Information Governance

Speaker: Shash Patel

The exponential growth of electronic data generated by corporations is driving organisations to increasingly differentiate the good stuff (company important information) from the bad stuff (digital landfill).


This case study shows how one company is establishing a comprehensive enterprise-wide asset protection strategy to manage and protect confidential and/or sensitive data. How that differentiation is driven by developing a clear risk assessment and mitigation methodology using a comprehensive set of enterprise information categories, which are managed by developing a governance framework to re-enforce accountability and information ownership.


This approach is looking to help your organization meet its compliance obligations whilst minimizing risks to your company important information, and could also lead to maximizing your opportunities by determining what really is your “good” information.

A9: To the Point: Finding the Optimal Balance between Behavioral and Technical Controls

Speaker: Andrew Walls

Security performance depends on a delicate balance between technical and behavioral controls. There are times when technology provides the best protection and others where the user is in control. Effective secufrity needs to determine the appropriate control balance based on context and continuously optimize that balance based on results.

B9: To the Point: Conquering the Last Frontier of Governance with Enterprise Legal Management

Speaker: John A. Wheeler

As companies look to improve corporate governance practices in the wake of the global financial crisis, the corporate legal department is at the forefront of change. To be successful, legal professionals need better tools to conquer the evolving governance challenges. This session will explore how Enterprise Legal Management applications can help.

C9: To the Point: Global IT in View of Local Data Protection Laws

Speaker: Carsten Casper

Some store data in the country of origin. Others store it in the cloud. Privacy laws change. Finance, tax regulations and private contracts add to the constraints. We will develop a framework that fits most enterprises’ needs for compliant data storage and processing, based on results from our 2013 security & privacy survey.

D9: To the Point:Web Application Firewalls: Features, Products, Deployment and Alternatives

Speaker: Mario de Boer

In the absense of  ubiquitous security in software, web application firewalls are the technology of choice to protect web applications against external attacks. This technology overview focuses on the latest features of leading web application firewalls, existing products, deployment options and alternative technologies.


E9: To the Point: Securing the OT Environment

Speaker: Earl Perkins

As the complexity of OT systems increases, and the connectivity to them becomes more ubiquitous, the risk from vulnerablities increases. What used to be “security through obscurity” can no longer be the case as OT systems move to Microsoft, Linux and Unix platforms. This session explores the vulnerabiliites and how to contain them


MQ4: Magic Quadrant: Security Information and Event Management

Speaker: Mark Nicolett

Broad adoption of SIEM technology is being driven by the need to detect threats and breaches, as well as by compliance needs. Early breach discovery requires effective user activity, data access and application activity monitoring. Vendors are improving threat intelligence and security analytics.

AUR6: Roundtable: Where Are We Heading with the New EU Data Protection Regulation? (Reserved for end-users only, pre-registration requir …

Speaker: Carsten Casper

Changes in European privacy legislation are ongoing. Data protection authorities conduct audits and prosecute offenders. Social media, video surveillance and location-aware computing also create new challenges for privacy professionals. Join this roundtable to discuss the latest trends of privacy legislation and reality in Europe.

W6: Why ERM & GRC Depend on Each Other to Succeed (Reserved for end-users only. Pre-registration is required.)

Speaker: John A. Wheeler

This session will define and explore the symbiotic relationship between Enterprise Risk Management (ERM) and Governance, Risk & Compliance (GRC). Today, companies are challenged with finding better ways to understand and analyze risk. Some may look to ERM and others may focus on GRC. To be truly effective, however, companies need both.

A10: To the Point: Performance Comes from Venus, Management from Mars

Speaker: Frank Buytendijk

Measurement drives behavior, we all know that. But how measurement drives behaviors is a more nebulous area. For risk mitigation purposes in performance management, we need to find ways to stimulate the right behaviors, while discouraging dysfunctional ones. Sometimes the soft side of performance management, people, produces the most tangible results… if you know what you are doing.

B10: To the Point: Is Your Business Keeping Up with the Changes and Best Practices for e-Disclosure and Regulatory Investigations?

Speaker: Debra Logan

As information compliance and regulatory requirements mature so does the need for organizations to hone e-discovery best practices and implementations. This session will discuss changes in the e-discovery market and how you can best adhere to these changes

C10: To the Point: Threat Intelligence Services – Why, What and Who

Speaker: Rob McMillan

If you want to survive a security incident you need to be prepared.  Security threat intelligence services are an emerging tool in identifying current and emerging security threats.  Providers’ service offerings vary widely, and prospective clients must select a provider based on its specific needs and the provider’s ability to address those needs.


D10: To the Point: Is Cloud Encryption Ready for Prime Time?

Speaker: Eric Ouellet

Organizations are beginning the process of considering leveraging cloud infrastructures with their most sensitive data.

E10: To the Point: Could UTM be a good fit for enterprise?

Speaker: Jeremy D’Hoinne

The recent financial crisis put even more pressure on the security budget. UTM solutions offer a very wide mix of security features on the same appliance, with the promise of both high security and lower Total Cost of Ownership. Are UTM the silver bullet for budget-conscious (?) Security managers? Could both CSO and your CFO be happy at the same time?


A11: Transform Your Security Program: From Control-Centric to People-Centric

Speaker: Tom Scholtz

The traditional ‘control’ mindset of information security cannot keep pace with technological and behavioural change, resulting in policies and technologies that cause frustration and impede agility. A new approach is required, one that recognizes how the relationships between IT, the business and individuals have been transformed irrevocably.

B11: To the Point: The Four Slide Risk Presentation to the Board

Speaker: French Caldwell

IT executives can easily confuse and dismay the board of directors with IT risk information that’s not relevant to their board’s interests. Keeping it simple by focusing on outcomes makes it easier for everyone to see what matters most and why.

C11: To the Point: Sharing Data Without Losing It

Speaker: Jay Heiser

Today’s security managers are struggling to meet the  growing demands to share enterprise data with personal devices and external parties. This pitch will provide a use case model for the choice of collaborative systems with data protection technology that matches business needs for data protection.  (desc was too long a minute ago)

D11: To the Point Big Security Data is Neither Big Security nor Big Intelligence

Speaker: Joseph Feiman

There are fundamental flaws in the assumptions and expectations associated with big collections of security data: 1) that Security intelligence (SI) is analogous to business intelligence (BI) and the big security data is an ultimate source for SI; and 2) that big security data is a key to security.

E11: Supplier Contingency Planning: What You Need to Know for Supplier Recovery

Speaker: Gayla Sullivan

This session will cover how BCM teams can implement supplier contingency plans so that supplier risk mitigation, response, recovery and restoration efforts are more successful. We will discuss how to determine which suppliers require BCM, the activities required in ongoing risk management, and evaluating the viability of supplier contingency plans.


P4: Gartner Closing Keynote & Summit Close: The Gartner Five Year Security and Risk Scenario

Speaker: F. Christian Byrnes

Gartner’s research community for security and risk is composed of over 50 dedicated and numerous contributing analysts. This scenario represents their five year projection of the state of security and risk. The intent is to provide a base for your long term strategic planning



News.  Some true

US NSA and UK GCHQ ‘can spy on smartphones’. The US National Security Agency (NSA) is reported have cracked the security codes which protect data on iPhones, Blackberries and Android devices. German news weekly Der Spiegel says documents suggest the NSA and the British GCHQ made joint efforts to gather intelligence. Teams looked at each phone to crack its privacy codes, Der Spiegel said. Saturday saw thousands of demonstrators in Berlin demand that the NSA stop monitoring internet users. Apple’s iPhone privacy protection codes are reported to have been compromised Codes unlocked. The documents Spiegel has seen do not show whether or not there has been mass surveillance of phone use. Once the intelligence teams had unlocked the codes, agencies could read a user’s contacts and lists of who had been called. The BBC’s Steve Evans in Berlin says the reports do seem to indicate that the British and American security agencies have the ability to read private communications beyond what might have previously been thought possible – or desirable by those who fear the intrusion of the state.
No 10 denies David Cameron red box security breach. A Passenger photographed red box briefly left unattended as prime minister travelled by train. David Cameron: allegedly left red box unattended. Downing Street has rejected suggestions that David Cameron might have caused a security breach by briefly leaving his official ministerial red box unaccompanied on the table of a train carriage. A train passenger took a photograph of the red box, which was published by the Daily Mirror. The passenger told the paper: “It was just sitting there. I could probably have run off with it if I’d wanted to.” However, Downing Street insisted the box was not left unattended and that the security detail protecting the prime minister was there at all times. The photograph was taken on Saturday on a train from King’s Cross station in London to York, where Cameron attended his sister-in-law’s wedding. Guidance was issued in 1999 by junior minister Peter Kilfoyle that red boxes should be “effectively disguised” if it was necessary to carry them on public transport.
Grumman Corporation has been retained by the Defence Science and Technology Laboratory (Dstl) to carry out a further phase of development of the N.Guru Cyber Situational Awareness System, the software application for the visualisation of cyber events for decision makers. The research project awarded by Dstl will be carried out by Northrop Grumman in partnership with the Universities of Oxford and South Wales. This work is part of the MOD’s Cyber Research Programme and is developing concepts, tools and techniques to provide cyber situational awareness for users. “The ability to visualise cyber events in new ways will help create greater situational awareness and enable users to improve the speed and effectiveness of network defence decision making,” said Danny Milligan, sector managing director, Northrop Grumman Information Systems Europe. “This research and the resulting capability it produces will be a key enabler in helping the MOD to defend its digital assets intelligently and maintain its core business processes.” The N.Guru project will develop techniques for the monitoring and mitigation of detected risks through the use of visualisations that enhance situational awareness and facilitate decision support for cyber defence. It will also explore the impact that a cyber-threat could have on business processes, look for more widespread anomalies and known threat patterns, and provide information that enables operators to develop mitigation actions. Northrop Grumman in the U.K. has successfully supported a number of cyber research programmes following the commissioning of the Federated Cyber Range at its Fareham site in 2010. The company is also teamed with Finmeccanica for the NATO Computer Incident Response Capability, which is currently being rolled out to multiple NATO sites in Europe and North America.
Massive spike of Tor users caused by Mevade botnet. Researchers at Fox-IT found evidence that a recent spike in users of The Onion Router (TOR) anonymity network was due to a botnet known as Mevade.A, which may also go by the names “Sefnit” or “SBC.” 
Obad Android trojan distributed via mobile botnets. The operators of the Obad mobile botnet have begun using four distribution methods to spread malware to mobile devices, including through a new method, dissemination via mobile botnet created by using another form of malware. 


News.  Some True

Cyber attack on Israel planned for Wednesday to mark 9/11. A few days ago, a YouTube video was distributed calling on Muslim hackers worldwide to attack Israel on Wednesday, September 11. Just over five months ago, on Holocaust Day, “Globes” reported on a cyber attack against Israel by Muslim hacker groups sponsored by underground organization, Anonymous. The attack included hacking into Israeli websites and crashing them, hacking into Facebook accounts of Israeli citizens, and other activity aimed at damaging Israel’s Internet space.  The hackers declared that the cyber attack’s general objective was to wipe Israel off the Internet map, which means that the attack was unquestionably a failure. But from the hackers’ perspective, they were able to deal Israel a painful blow, and they are now ready for a new round. A few days ago, a YouTube video was distributed calling on Muslim hackers worldwide to attack Israel on Wednesday, September 11.
Cyber Attacks More Threat to Supply Chain Than Weather. While recent natural catastrophes have highlighted the risks weather poses to a company’s supply chain, technology failure and cyber attacks represent an even greater threat that many companies overlook, a new report said. In its “Tomorrow Never Knows: Emerging Risks” report, the Guy Carpenter said, “Few aspects of our personal or commercial lives are now technology free. And yet, most individuals and businesses only realize the extent of this dependency when they are negatively affected by a technology-driven or technology-dependent event.” This reality extends to a company’s supply chain, Guy Carpenter said. “Due to technological innovation and advances, many parts of a company’s or industry’s supply chain may have become interconnected and automated. Technology is indeed a critical enabler of a supply chain’s operations,” states the report. As such, the consultancy said, a single disruption such as a cyber attack “has the potential to put an entire company’s supply chain at risk.” The report outlines results from the “Business Continuity Institute’s 2012 Supply Chain Resilience Survey,” which show that unplanned outage of IT/telecoms was the most significant cause of supply-chain disruption last year, outpacing adverse weather, which placed second.
Ultra Electronics, 3eTI Prevents Cyber-Attacks with New Defense-in-Depth Security Device for Industrial Control Systems. EtherGuard L3 integrates enhanced layers of Information Assurance (IA) and cyber security controls for truly intelligent, more secure protection of real-time systems. Ultra Electronics, 3eTI, a leading provider of military-grade, cyber-secure network solutions for critical information systems, infrastructure and industrial automation, announces the next major release of its EtherGuard® L3, a government-grade, Layer 3 encryption device. This release focuses on preventing sophisticated ICS cyber-attacks by providing defense-in-depth (DID) cyber security for machine-to-machine (M2M) and embedded systems connectivity. EtherGuard L3 is designed to prevent malware such as Stuxnet or “insider” attacks from targeting defense and industrial environments, as well as countering the inadequate security which commonly exposes networks and critical edge devices to exploitation.
The EtherGuard L3 provides multi-layer protection including encryption, authentication, access control, denial-of-service, deep-packet-inspection (DPI), intrusion detection and prevention, central network management, and key management for industrial control and real-time systems. Together these capabilities allow an EtherGuard L3 to efficiently provide both safety and security defenses against multiple types of attack. EtherGuard L3’s protection, which is available as a device or integrated OEM module, enhances situational awareness for critical applications and empowers network managers to achieve the ever-elusive balance between security and operations.
Sykipot malware used to gather intel on U.S. civil aviation sector. Trend Micro researchers spotted the Sykipot malware being used in a new campaign targeting the U.S. civil aviation sector.
Fraudsters abuse Google Calendar for Android to send out scam messages. Researchers at Webroot found that scammers are registering thousands of fake Google accounts and using the Google Calendar app for Android to send out spam calendar invites.

BYOD: Bring your own distraction

It’s all the rage.  There’s not much to add.  Everyone has a solution to it, even Novell  So, what is there useful to say?

Only this.  Think about BYOD policies and be consistent.  Do you ban people from browsing porn on their own tablet?  Do you pay people for the hardware? Or do you expect people to fund their own IT? Who provides insurance?

Run a pilot.  Here are some requirements to think about.

  • Container for corporate data
  • Control of password complexity
  • Encrypt whole device
  • Enforce policies
  • Full alerting
  • Full logging
  • Full reporting
  • Hierarchical administration
  • Limit to OS version
  • Locate device
  • Log web sites visited
  • Login time out
  • No jail breaks
  • Remote control of device
  • Remote wipe or device or data
  • Screen clear timeout
  • Separate administration by business units

Forrester Wave: Information Security Consulting Services

Forrester publish their analysis of who to watch and who to use.  The only issue is that there is no indication of who is left out and why. Read all about The Forrester Wave: Information Security Consulting Services, Q1 2013
 photo forresterwaveinfosecconsultancies_zps8110d772.png

Forrester say

When interviewing the representatives and clients of these consultancies, it became clear to us that there are two different strategies in place. The more traditional consultancies (Deloitte, E&Y, KPMG, and PwC) focus on such elements as thought leadership, organizational transformation, risk management, and business value, while the other vendors (Accenture, BT, HP, IBM, Verizon, and Wipro) see consultancy as a steppingstone for engaging the client with their managed service offerings. This is not to denigrate or undermine the services they offer; however, it was apparent that
selling managed services is always on their agenda.


On the web here  Cache here