Gartner Blog Network

Add some IT GRC to your Catalyst! (or cloud, or crypto)

by Erik T. Heidt  |  July 18, 2013  |  Comments Off on Add some IT GRC to your Catalyst! (or cloud, or crypto)

Late breaking news:

Just this week the opportunity to present an IT GRC session at Catalyst came up! As a result I will be presenting a 45 minute session discussing the most common struggles IT GRC practices experience organizing and executing their efforts. This is an outgrowth of the research conducted in authoring “Achieving IT GRC Success”. This content was very well received at the 2013 Security and Risk Summit and I am very excited to be able to bring this to Catalyst this year!

I have also included information on the other sessions I am involved with below. The IT Risk Cloud Manifesto workshop is full, but if you are a GTP seat holder please keep in mind that you can schedule a 1:1 at the conference or a post-conference Inquiry/Dialogue call with me to discuss the workshop results or any of these subjects.

The “To the Point: How to Assess Cloud Service Provider Security” is an extension of recently published “Determining Criteria for Cloud Security Assessment: It’s More Than a Checklist”, and is content I am also very excited to present and start a discussion about. This is a 25 min session, so it will move FAST – and as a result it is action oriented.

Here is a summary of the sessions I am participating in:

Tell Me, What’s IT GRC again? (Solutions to Common Challenges)
31 July 2013 (04:45 PM to 05:30 PM)

IT GRC practices continue to be a catch all for policy, risk, and compliance activities. No clear and complete vision of IT GRC has emerged, and GRC activities tend to be matrixed across the enterprise. In this session, we review a summary of current research on IT GRC practices, and provide recommendations for planning and executing IT GRC.

This session answers the following questions:

  • Is there a one-size-fits-all IT GRC practice structure you can adopt?
  • What are the key IT GRC processes common to mature practices?
  • What are the biggest pitfalls faced by new IT GRC efforts?

To the Point: How to Assess Cloud Service Provider Security
29 July, 2013 (5:00 PM – 5:30 PM)

Cloud security standards have emerged from the Cloud Security Alliance, the U.S. government FedRAMP and other groups. However, assessing providers takes more than a checklist, it takes an architecture. This presentation covers assessment in the context of real use cases, including hybrid cloud and multiprovider scenarios.

This session answers the following questions:

  • How do we model cloud risks for the use cases I have?
  • How do we develop solution architecture patterns to drive down exposure to failures in the cloud service?
  • How do we prioritize assessment criteria and develop questionnaires?

Workshop: Cloud Risk Manifesto 
31 July, 2013 (9:15 AM – 10:45 AM)

Adoption of cloud services has lagged expectations. In part, this is because cloud providers aren’t addressing the IT risks associated with hosting sensitive data, regulated or critical business processes. Furthermore, internal partners criticize IT for a “lack of adoption” without understanding availability, compliance, data disclosure and other risks. This workshop gives voice to the IT Risk Management issues that cloud providers, business partners and IT leadership need to understand and address in order to be able to tap into cloud value. Participants go away with requirements and policy statements that can be communicated to providers, business partners, sourcing and legal to level-set the expectations that must be addressed before these services can be more fully utilized, buy the enterprise or in its supply-chain.

The key questions answered in this workshop include:

  • What are the risks that I need my cloud supplier to address so I can go “all in”?
  • What are the risks I need my business patterns to understand?
  • What cloud usage can I tolerate in the offerings from service providers?

When Encryption Won’t Work: Implementing Practical Information Protection
31 July, 2013 (2:55 PM – 3:40 PM)

Enterprise data breaches are occurring all too often. Many enterprises have overestimated or misunderstood the protection provided by current, or planned, encryption deployments. This presentation focuses on the attacks that are resulting in these expensive and embarrassing data disclosures, and provides prioritized actions for you to consider for addressing these threats. (Portable media and data outside the data center is not discussed.) We explore the limitations of database, bulk storage and application encryption approaches. Recommendations include a solid mix of controls — sometimes including encryption — that complement and strengthen each other.

This session answers the following questions:

  • Is my encryption strategy poised to address likely threats?
  • Have I invested properly in database, bulk storage, or application encryption?
  • How do I leverage other preventative controls to complement or replace encryption?

Public Clouds: Action Planning and Next Steps
01 August, 2013 (8:30 AM – 9:30 AM)

This is a panel discussion including Gartner analysis Drue Reeves, Sean Kenefick, Kyle Hilgendorf, Bill Pray, Jamie Popkin and myself – and will summarize the key cloud content from the event.

It’s time for organizations to move past partial commitment when it comes to employing public cloud services. However, it’s easier said than done, and this week was like drinking from a fire hose. In this panel discussion, Gartner analysts highlight the top action items from the week and take your questions about where to go from here.

This session answers the following questions:

  • Public cloud “a-ha” moments from the conference
  • Prioritizing the key actions of a cloud strategy and action plan
  • An open Q&A for all attendees


Look forward to seeing you there!

Thanks, Erik


Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: cloud-risk-management  it-grc  real-world-information-security  risk-management  

Erik T. Heidt
IoT Agenda Manager, Research VP
5 years at Gartner
26 years IT Industry

Erik Heidt is the IoT Research Agenda Manager for Gartner for Technical Professionals (GTP). Mr. Heidt covers Internet of Things (IoT) architecture, strategy and execution as well as security and risk management within the IoT context. Mr. Heidt focuses on developing and delivering research related to the architecture, development and operation of IoT for both users and suppliers. Mr. Heidt has more than 26 years of industry experience, with a significant focus on information security and risk management. Read Full Bio

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.