TOPICS:
- Super-Crunching Your Way through Security Metrics
- Realistic Governance, Risk, and Compliance Management in the Enterprise
- Going Global: Controlling the Extended Organization
- Data Security: More than the Reach of the Breach
- Conducting Secure Business Over Open Networks
THEMES:
- Building the Dynamic Data Center
- The End of Command/Control Is Near
- Security Vital Signs
- Everything Wireless
- Succeeding with SOA
- The New Ways of Work
THEME: Security Vital Signs: Topics
Super-Crunching Your Way through Security Metrics
What do over 136 academic studies tell us that we don’t already know? That evidence-based quantitative research is almost always better than qualitative, subjective opinions – even from experts, even with expressed concerns about data. Measuring things matters, and makes IT programs more manageable. But it has to be done right.
These sessions will help codify how and when to address security metrics in your environment:
- What are the Top Ten Strategic Security Metrics?
- What are the practical drawbacks and challenges of implementing a metrics program?
- How do your peers get started down the path of metrification?
- How do you quantify risk and information asset value?
- Why does all this matter?
Realistic Governance, Risk, and Compliance Management in the Enterprise
Governance, Risk, and Compliance management (GRC) is the stuff of marketers’ dreams: a phrase that’s attention-getting, broad, and seemingly all-encompassing. And the market has responded with a confusing array of products. The problem is, security practitioners need realistic solutions in each of these areas. The saying goes, “security is a process, not a product.” And this certainly applies to GRC, too.
These sessions will draw the distinctions between senior management governance activities, risk management approaches, and compliance automation technologies:
- What is the market landscape for so-called GRC tools?
- How can risk management and compliance be made into regular business units instead of cost centers?
- How does proper execution of governance activities affect security vital signs?
- What is the role of data governance?
- How do we expand industry imagination to view security and compliance not as something forced on the business by outsiders, but chosen by management as a core activity?
Going Global: Controlling the Extended Organization
My enterprise is spread out all over the planet!” This is a common cry and complaint from Burton Group clients. Part of their challenge is regulatory compliance over a multitude of jurisdictions. But also painful is the increasingly outsourced nature of business, and how it drives much looser control over security. Multi-national organizations need a clear understanding of how to drive appropriate controls for geographically varied regulations and how to deal with off-shoring partners and other third parties who need access to internal services.
These sessions will address:
- How to create a controls structure that can manage, and be managed from, a geographically dispersed work environment
- What vendors need to be told in order to create solutions that accommodate greater heterogeneity and diversity
- What are major compliance trends in popular outsourcing regions
- Technical solutions that provide improved mitigating controls
- Audit and assessment strategies
Data Security: More than the Reach of the Breach
Staying out of the news (bad news, specifically) is an admirable goal. But data security is more than merely avoiding breaches, disclosures, and reputation blemishes. Enterprises have vast data landscapes with varied needs. In the land of data, those who control data are king. Such control includes protection of data in motion, use, and at rest—to be sure—but it also involves classifying, architecting, and discovering information properly. It also requires appropriate technical responses to conflicting compliance requirements: some of which require greater confidentiality and others that require greater availability.
The session will cover:
- How data protection must evolve in a service-oriented application environment
- How organizations are responding to protection requirements from Payment Card Industry (PCI) and other regulations
- Why enterprises should start thinking strategically about encryption and key management
- What data services and information architecture can do to help reduce risk
Conducting Secure Business Over Open Networks
For many enterprises the network perimeter firewall is unable to guarantee that only trusted users and traffic are present on the managed network. Network and security vendor attempts to shore up the network with Network Access Control solutions are incomplete and over-hyped. Burton Group experts and customers will propose an overlay architecture approach that shifts defenses to the endpoints, application systems, information systems, and data centers and challenge vendors to justify the value of NAC products and their strategy for building security intelligence into networks
Topics to be covered include:
- The reasons why a single enterprise perimeter will fail
- Do we really need NAC products?
- How to overlay secure business on untrusted networks
- Learning from NAC projects that failed
- Defending endpoints, applications, information, and data centers
- Burton Group’s architecture for secure networks and secure data centers
- Industry panel to challenge leading network and security vendors on the wisdom of attempts to lock down networks
