ServiceNow in security? Yes. The company has built upon its successful IT service management (ITSM) SaaS offering to bridge the gap between security and IT operations teams in areas like vulnerability management and incident response (IR). This places ServiceNow in the catbird seat. I expect big things and great success moving forward.
Old friend Sean Convery, GM of ServiceNow’s security division, recently stopped by ESG to discuss how the company plays in security operations and analytics platform architecture (SOAPA) evolution. In part 1 of the video, Sean and I discuss:
- Cybersecurity and IT collaboration. Yes, the “S” in SOAPA stands for security, but SOAPA integration can extend to ITSM tools as well. Sean and I talk about how SOAPA can facilitate improved communications and cooperation between security and IT teams.
- Vulnerability management. We’ve had scanning and patching technologies for years yet vulnerability management continues to be done informally, haphazardly, and ineffectively at many organizations. Just ask Equifax! Sean and I talk about how SOAPA has the potential to help automate processes and improve consistency here.
- Security processes. Sean talks about his surprise and the lack of process maturity in cybersecurity today. We then chat about how SOAPA and ServiceNow can help customers in this area.
Many thanks to Sean and ServiceNow for participating in ESG’s SOAPA video series. Hope you enjoy it and stay tuned for Part 2.
Jon: I'm here today with the GM of the Security Business Unit of ServiceNow, Sean Convery. Welcome, Sean.
Sean: Thanks, Jon. It's great to be here.
Jon: We're here to talk about SOAPA and you guys come at this from a different angle because you're coming at it from, sort of, ITSM and the IT operations side. So tell me, how does that sort of unique perspective, how does that help you as you approach SOAPA?
Sean: We actually got our start by having our own customers tell us that they wanted to see us make investments in security. So we saw customers building custom applications on top of the platform to deal with some of their vulnerability challenges, to deal with incident response. And so we really come at this from the angle that, you know, by getting IT and security working more tightly together, that you actually can make more progress towards solving the actual problem most organizations seem to have.
Jon: Yeah, that makes intuitive sense to me, but a lot of times I talk to CISOs and they say, "We know we have to work with IT ops, but we wanna maintain our independence." So is that a challenge for you to overcome, or is it something that you can work with your customers on?
Sean: Yeah, it's rarely a challenge for us. You know, it's actually something when I started at ServiceNow, I was wondering, "Well, how are we gonna get access to the security buyer?" And it turns out IT almost acts as the reseller for us. They sort of walk us into the security team and say, "You need to listen to what these guys are talking about."
Jon: Mm-hmm. And any pushback on cloud model? Because you know security people wanna own the technology, own the data, there's regulatory issues. Any pushback on that?
Sean: I mean, certainly there's customers that wanna go on-prem and must go on-prem. So you talk to certain members of the intelligence community, and they may have no access to the Internet for some of their network. So we certainly have the ability to go on-premises when we absolutely need to, but we try to avoid it whenever possible. Yeah, the biggest advantage that I talk a lot about when we talk about cloud is if you're doing incident response, you actually benefit from having a trusted, safe, other location to do your investigation and response, rather than being on the same network that's under attack.
Jon: That's true. You mentioned vulnerability management. I've been in security for 14 years. We haven't figured this out yet. And I know you've been in security for a long time. What are you doing to help customers there? Because in some recent research, vulnerability management came out as one of the biggest operational problems still. So what are you hearing and what are you doing?
Sean: Well, it's amazing, actually, if you just look at some of the more recent breaches that have occurred. So, you know, the CEO of one of the most recent companies that had a massive breach, you know, blamed the entire breach on a single individual not patching an asset. Right?
Jon: That's true, yeah.
Sean: So if your process is so fragile that somebody can forget to do something and it ruins the entire effectiveness of the organization, you have a process problem. You don't really have...people are gonna forget to do things all the time. You've gotta find a way to be consistent in your vulnerability response program. So if you look at this failure to patch problem...you talked about it. Like you said, for 14 years, we've been dealing with this challenge. Fundamentally, it's about how do you bring IT and security together to have a consistent approach to solving the problem. You have to be able to prioritize. You have to be able to have an agreed upon SLA. You know, if you're the CIO and I'm the CISO, if I come to you with a Sev 1 vulnerability on a business-critical service, you know, we should have an agreement. Are we gonna patch that in four days, four hours, four weeks? And then we should be able to measure and trend that over time. And that's what you can do with ServiceNow, which actually, it gives people at least a frame of reference that they can then think about, you know, do they wanna make additional investments to improve, are there areas the process can improve.
Jon: You mentioned process. SOAPA is a technology architecture. And that's why I've been pushing it. That's why I've been talking about the integration of different parts. But process is fundamental to these things, and sometimes I think we disregard the process. So how much of that work is something you bring to your customers to help them with those processes?
Sean: Well, it's a big part of what we're doing. So in the very early days of the product, we assumed every customer would have their own processes and they'd, sort of, be looking for us to fit into their frameworks. What we actually found out was they were looking for us to provide guidance. So now we have a lot of capabilities out of the box to help people get started because we find that the notion of orchestrating and automating things sounds great, but if you haven't actually defined a baseline of what needs to be done, even when it's a human, you've got nothing to automate.
Jon: Yeah, that's absolutely true. And that's what I'm finding, is often times we assume that they have the process, but they're saying, "Hey, help me out. I think I do this well. I don't know if I do this well."
Sean: Yeah, absolutely.
Jon: So, great conversation. Will you stick around for part two?
Sean: Sure, that'd be great. Jon: Okay.