Join in the discussions on the obvious solutions and the clear disconnects associated with the strategies and the deployment of cloud computing capabilities and its impact on information security. The premise of the majority of the cloud computing infrastructures going into 2009 consists of reliable services delivered through data centers and built on servers with different levels of virtualization technologies. The services are accessible anywhere in the world, with “The Cloud” appearing as a single point of access for all the computing needs of consumers.

Gartner reports that 63% of organizations they surveyed planned to increase use their use of cloud computing, likely as a result of the economic downturn, as this technology holds many promises; the ability to increase capacity and add new capabilities without additional data center capital expenditures, the reduction of training costs, and the reduction of the costs and maintenance associated with software development. So why are organizations struggling with deploying this environment?

Dive deeper into the discussions and share your ideas with your executive peers:

• How are organizations working their way through the “loss of control” issues as information is moved to a third party provider
• What is the expectation of privacy issues as your sensitive data gets handed off in the cloud
• What are the tough questions that CISOs are asking about data integrity and recovery
• What is the impact of e-discovery, regulatory compliance, and auditing on the capability to move your organization to this environment
• What are the clear benefits and successes that organizations are seeing

With the recent worldwide economic challenges, many organizations are now pushing the envelope with the “Do More with Less” approach to controlling IT security costs. While continuing to optimizeexisting processes and resources can lead to short-term gains, the reality is that today’s economic challenges are not short term. Security strategies must now be re-evaluated to support the core-competencies of the business and ultimately, the needs of the customers that drive the bottom line. In order to achieve success in today’s environment, security organizations must be able to position themselves with capabilities topioneer innovative and better ways to create value for their customers as value is the strategic driver that can be utilized to differentiate programs that your customers are willing to invest in for the future.
Dive deeper into the discussions and share your ideas with your executive peers:

• Understanding new customer choices and where they are seeking value in today’s economy.
• Examining technology security investments that provide value-add for the customer – data leakage protection, software assurance management, identity management, endpoint protection, authentication, vulnerability management, data encryption, etc. Discuss how these technologies and which ones can provide this value.
• Strengthening communications to position customers to develop shared goals and be active champions of your innovative security programs.
• Measuring and managing customer expectations in this tough economy.

Social computing enhances the often unstructured interactions between individuals. Social computing means communities are going global—breaking the constraints of geography and expanding their reach and influence. Leveraging these online communities present both great business opportunities and potentially many unchartered security challenges for enterprises. The corporate use of social-software services like Facebook, LinkedIn, U-Tube, Twitter and MySpace create exposure of personal data in the workplace, the release of corporate data to the public and the risk of identify fraud as well as a host of other security, governance and compliance challenges. Furthermore, with increased usage of social-software services comes the onset of more malware as it often resides in the trusted and popular Web sites that your users visit frequently thus creating potential endpoint and network security risks.

Discuss with your peers in this roundtable how organizations, executives, security teams and vendors are developing technologies and best practices that are preventing the inappropriate exposure and exploitation of personal and corporate data through social computing.

Dive deeper into the discussions and share your ideas with your executive peers:

• What are the key drivers for developing a strategy for an organization around social networking
• Gaining an understanding of social-application governance. And how to build a social governance program that fits your organization’s culture and industry.
• What are the types of policies to build into your secure web gateway program—from application white listing, content filtering, etc.
• What are the best ways to optimize employee productivity with web application and filtering controls.
• Discuss best practices for methods to prevent information leaks and data loss

Maintaining security using tactical point solutions introduces complexity and inconsistency, but integrating security throughout the network with an integrated set of products can be just as intimidating.

We all strive for the following three advantages:

• A secure network platform with integrated security to which you can easily add advanced security technologies and services
• Threat control services focused on antivirus protection and policy enforcement that continuously monitor network activity and prevent or mitigate problems
• Secure communication services that maintain the privacy and confidentiality of sensitive data, voice, video, and wireless communications while cost-effectively extending the reach of your network

The problem is that many of us, Information Security Executives (ISE's) have had to purchase emerging technologies and point solutions to keep up with the threats that keep emerging in our new technology environment.

The other challenge is that big technology and security companies are buying up all the small security guys and trying to merge their products into an integrated suite. The dilemma then is whether to continue to go with best-of-breed new emerging technologies, or rip out some or all of the point solutions and go with the big vendors.

Discuss with your peers at this executive round table:

• The advantages and disadvantages of implementing best-of-breed "emerging technology" solutions, or relying on the big security vendors for all of your needs
• Concerns when you have purchased and implemented a point solution, and then this vendor is acquired by a larger company
• What would be defining factors and requirements for your enterprise to de-install products such as Anti-Virus and Mail security and reinstall with a new vendor
• The advantages and/or disadvantage of implementing one vendor's solutions versus having multiple vendors in place

Most Information Security Executives (ISE) have been responsible for running Information Security organizations that were largely operational with staff responsible for firewalls, intrusion detection, and forensics. Many companies are now migrating security operations to other well-established groups in IT that perform similar operations. Reorganization may include - Network Intrusion Detection and Firewall Management under Network Operations, Server Hardening and Monitoring under Systems Administration, and Application Development Teams taking on responsibility for Application Security.

These major changes are enabling the ISE role to be more aligned with the business strategy of the organization. The role of the ISE is increasingly focused on risk management, and as a facilitator between operations and the business units. ISE's are becoming more risk-management officers able to understand risks from a technical point of view, but more importantly understanding risks from a business point of view. Compliance initiatives are also becoming a major responsibility of the ISE position and collaboration with executives in privacy, legal, and core business units is key to continued success.

Discuss with your peers at this roundtable:

• How your role as an Information Security Executive has changed in the past few years.
• What your major challenges are and what you are doing to align more closely with your company's strategic business initiatives.
• The benefits and /or concerns with moving Security operations into the IT organization.
• Ways of building internal collaboration with your legal, privacy, and business partners around compliance initiatives.
• The major roles and responsibilities of the Information Security Executive position today, and what you see for the future 

Data privacy. Outsourced Development. Security in the SDLC. There has never been a greater reason to secure your critical data, and it is your applications - the foundation upon which organizations function that are putting that data at risk.

Although analyzing applications for insight into risk may seem daunting, the path to knowing where your software and web applications are most vulnerable and remediating those vulnerabilities is critical to understanding and managing your business risk.

The ongoing epidemic of data breaches and regulations and compliance standards such as the Payment Card Industry Standards (PCI) have painfully highlighted the insecurity of many of today's applications. How, then, can organizations ensure their applications are secure, and avoid the cost, stock price downturn, or worse, having to explain to consumers and regulators how code defects allowed attackers to steal sensitive information?

Historically, the focus has been on one of the following two approaches to securing software:

• Manual Security Code Review which, while providing a thorough analysis, has issues of efficiency, repeatability, reliability and cost, while also requiring highly skilled security expertise.
• Penetration Testing which is only focused on web front ends and exposed interfaces. Pen testing is considered an "Outside-In" approach, and requires a functionally complete application to analyze, so it cannot be built into the SDLC process.

While both of these approaches have their value, automated software risk analysis tools now allow organizations to approach secure code development in a more systematic, automated, and predictable manner. These tools can greatly improve the speed and accuracy of code review, and may be integrated seamlessly into the development lifecycle, precisely locating vulnerabilities in the line of code and providing detailed information about the type of flaw, the risk it poses, and how to fix it.

Discuss with your peers at this executive roundtable:

• Tools and technologies for identifying web application vulnerabilities
• Benefits of automating code review to ensure compliance
• Ways of firmly entrenching application security in all stages of the Software Development Life Cycle (SDLC)
• Roles and responsibilities of the application quality assurance (QA) teams, information security staff, audit professionals, and developers in ensuring secure applications
• Methods and processes to deal with attacks that target software and web application vulnerabilities
• Providing training for application developers in writing secure code

All federal agencies are required to comply with the Federal Information Security Management Act (FISMA) guidelines for IT systems security. Failure to pass a FISMA inspection can result in unfavorable publicity, increased oversight of your agency, computer breaches, and even a reduction in the IT budget.

FISMA provides a framework for ensuring the protection of government information, operations and assets. The legislation requires agency officials to implement policies, procedures and practices to strengthen information security, and reduce security risks. FISMA compliance requires agencies to:

• Implement and adhere to security configuration standards developed by NIST
• Identify and resolve risks
• Perform ongoing assessment and testing
• Conduct annual reviews on the effectiveness of the agency's information security and privacy programs, and report the results to the OMB annually.

Protecting the privacy and security of federal information and systems, and complying with FISMA requirements is a significant challenge to federal agencies. Faced with cost-effectively meeting FISMA compliance requirements, while achieving business objectives and mission, agencies must be efficient to balance both demands.

A best-practice approach to FISMA compliance requires development, implementation and continuous measurement and monitoring of an agency-wide, risk-based security program.
Such a solution instills accountability, proactive protection, integrity, and continuous improvement.

Discuss with your peers at this executive roundtable:

• Key steps in achieving FISMA compliance
• Tools that can help you meet FISMA requirements
• Strategies, methods, policies, and processes for complying with the regulations
• Identifying and prioritizing where to start to meet the new law.