This presentation will describe an initial set of information security metrics, developed via expert consensus. These metrics provide standard security definitions that are necessary for intra- and inter-enterprise benchmarking of security performance. An emphasis is placed on outcome metrics as true measures of information security success. Key takeaways include:

Shift happens. And you need to deal with the consequences. We’ve been discussing “change” for years: dramatic changes to workplace dynamics, new sourcing models, and evolving application portfolios. But change is no longer hypothetical — it’s real. This session will move beyond discussions of the economy and help you understand how to navigate the new security reality. Session attendees will learn:

• The major business trends you need to prepare for when the inevitable upturn in the global economy comes
• How to master three major shifts: 1) a shift in business expectations; 2) a shift in ownership; and 3) a shift in security architecture
• Why you need to move beyond asking questions of your CIO and business peers to providing guidance and evolving your SRM practice

Each attendee is able to schedule up to two 20-minute one-on-one sessions with the Forrester analysts of their choice, depending on availability. These meetings are consistently rated as one of the most popular features of Forrester Events.

Like it or not, consumer-grade hardware and software has penetrated your company. Originally it started as executives demanding iPhones, but now we see Google Docs, Macs, Skype, and Twitter being extensively used by enterprise workers. This analyst-moderated session with three security executives will discuss the policies, controls, and practices to minimize the threat of consumerization. Attendees will learn:

• What the threats versus benefits of supporting consumer technology are
• How to evolve your security and risk practices to combat the risks of consumerization
• What employee acceptable use policies today's security execs are implementing

Change is constant. As a Security & Risk professional, how do you protect your information-driven organization and still remain competitive in your business? In 2008 alone, 90% of breaches involved organized crime targeting corporate information. IP theft cost companies $600 million globally, and 285 million records were stolen. How do you cope with this new security reality? This session will outline four key strategies for protecting your company and provide practical use case studies.

Metadata, or data that describes other data, is an important aspect of network access control (NAC) and, more generally, information security. TCG’s Trusted Network Connect (TNC) workgroup has developed and standardized an “Interface for Metadata Access Points” (IF-MAP) that allows a heterogeneous set of NAC components from multiple vendors to coordinate their respective sensing, decisions, and actions by sharing standardized metadata through the publish/subscribe/search capabilities of IF-MAP. Attendees will learn:

• How Boeing is deploying an IF-MAP-compliant metadata service
• How IF-MAP can enable for other metadata services such as network location services
• More about the deployment of IF-MAP use cases in larger enterprises

Recently, several US and South Korean government and commercial Web sites were the target of large-scale DDoS attacks. The attacks caused disruption of a number of Web sites and generated a great deal of interest within the information security community. In this presentation, Ken Silva, CTO of VeriSign, will provide an analysis of these attacks, explain their significance for the IT and business communities, and explain how they could have been easily prevented. From this presentation, you'll understand:

• How traffic to these Web sites was disrupted.
• What is known about the motives behind these attacks.
• The future direction of cyberattacks.

Everyone knows that surfing the Web is dangerous and that even legitimate sites can be compromised. Security teams need to understand the facts behind this fear statement.

• How many ways can someone become infected visiting legitimate Web sites? Security professionals need to know how this goes beyond SQL injection and malicious iFrames.
• Where do today's security solutions fit in a best practices defense? Learn how to coordinate what you have for a stronger defense and to identify any remaining holes.
• What new strategies and technologies are coming to strengthen protection against these fast-moving, Web-based attacks?

External pressures such as a melting economy are now combined with internal pressures such as the requirement for clear ROI and new technologies like cloud or utility services to create a virtual tornado of new pressures on IT security. As security professionals, we're usually guilty of claiming something big is happening, but this time, it's for real. This session will discuss:

• How the core enterprise requirements for IT security are changing — and not just a little
• How cloud computing services are accelerating the process of "natural selection" in the security space
• The growing reliance on external service providers to deliver security services
• How security professionals have to extend beyond the “traffic cop” role, improve how they leverage external service providers, and help drive safe implementation of more utility services into the enterprise

Many organizations look to the Internet to collaborate with employees, partners, and customers. But as an industry, we need an architecture that reduces the attack surface and provides secure communications, information protection, and a secure environment in which to open information. Come hear Steve Whitlock share his thoughts and advice on how to build out this next-generation architecture. In this session, attendees will:

• Understand when and why you should use application-specific versus general purpose tunnels to communicate across the Internet>/li>
• Discuss the merger of fine-grained access control with encryption and how it can be applied directly to information flows
• Learn why you should break up the traditional OS into small, provably correct modules built on VMs that coordinate to act like an OS

Each attendee is able to schedule up to two 20-minute one-on-one sessions with the Forrester analysts of their choice, depending on availability. These meetings are consistently rated as one of the most popular features of Forrester Events.

Many companies are adept at understanding shifts in security technology and processes. But what about people? CISOs constantly claim that new security skills are needed, but few feel equipped to tackle the problem. This session will overview shifts in the security talent landscape and prepare you for hiring the right talent when you need it. Attendees will:

• Understand how security and risk management talent is evolving
• Reexamine the current skills and certifications that are needed for your business
• Discuss how to prepare for hiring, training, and ramping new security talent

Shifts in stakeholder expectations, ownership of assets, and security architecture will radically change CISO priorities. In this session, a lively panel of practitioners will debate what it all means for CISOs: the new rules of the road, the ultimate destination, and practical directions on how to get there. Attendees will: