 Live from Las Vegas, it's theCUBE, covering Knowledge 16, brought to you by ServiceNow. Here are your hosts, Dave Vellante and Jeff Frick. Welcome back to Knowledge 16, everybody. This is theCUBE, SiliconANGLE's flagship product. We go out to the events. We extract the signal from the noise. Bart Murphy is here, he's the CTO of York Risk Services Group. Bart, good to see you again. Good to see you guys. Thank you for having me. So, what's been going on this week? Busy week? What have you been doing? This week has been busy. Been doing a couple of different things. One, on the CIO Decisions Track, collaborating with those folks and getting some sessions in from ServiceNow. And then on the partner side, talking to customers, checking out and enjoying the keynotes and seeing what's new on the platform. Very exciting. Did you see Secretary Gates last night? Were you able to sit down? Unfortunately, I got pulled off for a call, so I didn't get it. That's the one thing I did miss. You have to call me out on that. Well, one of the things he said, which I want to ask you about, is a former CIO, CXO. Now, he said that consensus management don't even bother. Now, he's speaking to a bunch of CIOs as a CIO. Challenge, right? It's a challenge. I think there's one component that you have to devise a strategy that you know is sound and you have to have some resolve to help sell it. So, I see that component of it, but the other is to sell that vision and get other people bought it. So, I think there is a consensus component from that, certainly from the executive team, and then you have to go sell it to your organization as well. And I think that truly doesn't come from just talking about the vision or the business case. It's from actually delivering the software and delivering the services and doing it in an incremental basis that allows them to see and gain value from that. That's what you build your credibility up on, and I think then that's what helps sell it. So, you've gone through a few changes, personally, your company. So, take us through the care works acquisition. Sure. Yeah, CareWorks Family Companies was acquired by York Reservices Group. So, we're now part of a larger organization, a national organization, although CareWorks itself had a few of the companies that had a national footprint. A majority of them were primarily based in Ohio. So, strategically, great fit, a great company. I moved into the corporate CTO role about a year, year and a half after the acquisition, and have been really trying to build out the entire enterprise strategy from an IT perspective, because they had procured a lot of, and acquired a lot of companies over a two to three year time span, and so we need to really invest a lot of time on what the future state of IT is going to look like. So, it's interesting, you've gone from CIO to CTO. A lot of people talk, come in the Cube, and they talk about the role of the CIO. We talk about all the time. And there have been some that put forth the notion that the CIO eventually is going to have to choose a path, a technical path or a business path. You know, maybe both at different times. Do you subscribe to that, or do you see the CIO role as continuing on as we've known it? Yeah, we don't have a separate CIO and CTO. I oversee the IT, including operations. To me, from a title perspective, I just want to have the organization view that that role is part of innovation. We have a chief innovation officer as well, but from a technology perspective, I think it's very difficult to run operations if you don't have a good grasp of the technology and the platforms. So, regardless of the role or title that they give me, I think it's more about what are you managing, and I don't want to ever be broken up between sort of a CTO role that's maybe more focused on newer technology projects, and then a CIO only based on run methods. I want to make sure that those organizations are always combined, because you're going to build much better software if you also have to support it. We also want to make sure that the automation is in place so that we have our support organization in mind when we actually deploy new platforms, new applications, new systems. So, do you see yourself as a software company? You know we do. We're in the risk services business, so we are a services provider to carriers, to large shelf insured, to large claims organizations. So, we see ourselves in a lot of what we do is differentiated by our technology, whether that's better business process, outsourcing functions, or our ability to do bill review faster, more accurately. So, our CEO definitely sees us as a technology company, and that's why there's a lot of investment in time being put in to sort of build out what that future state of IT is going to look like. What are you doing with ServiceNow these days? How did the acquisition affect that and where you headed? Well, so we just went live with the Yorker Services Group on ServiceNow's platform, on Geneva, and that's actually a separate production instance that we have with CareWorks. So, we deployed the CareWorks instance in early 2011, late 2010, in that time frame, and there were, you know, there's a ton of customization, a lot, you know, very solid platform for that family of companies. With the York, there's a much larger scope that we wanted to address. So, very lucky again to be in that situation, because I had an opportunity to start a redo in any time that you work on a platform and you do it for a few years, and then you get a chance to actually build again. So, we really took more of an enterprise, ITIL, out-of-the-box type of approach so that it could be flexible enough to manage across the entire enterprise, including all the acquired companies that we plan to pull onto the platform. And then that gives us time to figure out what was really the best out of our other platform that we want to retrofit back in. But the main reason I did that is to make sure that we could get some benefit out of the platform now and work and migrate into the business shared services functions within York that I think are going to benefit very much from the new platform. So, you got a mulligan of sorts. A little bit. Yeah, I got lucky on that. And a little bit of a mulligan. And again, it's all about trying to make sure that we can come in and we just went live. We're going to have our challenges, like with any organizational change management solution, even just on the ITSM side. But the cadence in which we're putting out releases to actually improve and bring on other shared services functions, I think is where we'll gain the majority of the buy-in. So, this notion here talked about a lot at this conference, the single CMDB. Yeah. Is that something that you're able to achieve or working toward or are you there? Absolutely, it's the goal. I mean, I don't know if you ever achieve it. I think it does take a lot of time. So, the goal is to have everything in one platform for all of our companies across the board and to help facilitate automation, whether it's with GRC, with the new security product that's coming out, which is something we're looking to get deployed in Q3. Q3, Q4, hopefully sooner rather than later. I just see there's a bunch of play on the automation and orchestration side as it relates to tying in IT and tying in audit, tying in security. And then also looking at business shared services and that's a whole different world of figuring out how can we help them? We have our operations service center actually part of our next release. So I'll be very interested to see, they do a lot of things manually, like everybody does. It'll be very interesting to see how they see the platform and what they're going to come up with as a strategy long term for them. So far you mentioned a couple of times that York's made a number of acquisitions your company included and don't have 74 looking statements obviously, they're going to keep rolling up more things. But if you can speak to using service now as a vehicle to better integrate acquisitions because for a lot of companies that's a strategy. Yeah so and I actually have a strategy around that leveraging the platform and it's one of the main reasons I wanted to get it in now so that I could eventually build that. And my whole goal there is to leverage performance analytics. And the way that I envision using that is in many of the companies that we acquire, they will operate still stand alone from an IT perspective for some period of time. Whether that's six months, three months, two years until we can fully integrate them whether it's network, systems, consolidation, you name it, it takes a long time it's not something that we have solved. So part of it is to be able to do modeling using performance analytics by pulling in the data. So I can get them now onto this cloud platform because they don't need to be on network. I can have them operating their work within that platform for a period of a baseline period of time and I can start to model that using performance analytics to say how would that impact our enterprise SLAs? Does it help our enterprise SLAs? Does it degrade our enterprise SLAs? Are they staffed appropriately to actually meet our enterprise SLAs? And what are our enterprise SLAs once we start collecting all this data based on how we're staffed and how we're going to fund that transaction? So Bart, if I understood it correctly, you have a dual role, CIO slash CTO, okay. Is the CISO report into you or are you CISO also? He does and that's a new role that we established about a little less than a year ago. There was a VP of corporate security but we didn't have a chief information security officer. So I went out and got a very seasoned CISO and working not only as an internal, what we do internally also within our tech company as well. We started cybersecurity practice. So everything we do, we try to make sure that we can actually support our technology investments from an enterprise perspective and be able to self serve ourselves as an enterprise. So very excited about that. That's why we're getting into the security components and some other products that we think will integrate extremely well into service now. Let's talk about that a little bit. I want to put forth the premise. You tell me, feel free to tell me that premise doesn't hold water but it seems to us that there's been a shift in thinking about security from a focus on defense, defense, defense to one of, we're going to get infiltrated. It's all about how we respond. And I as the CXO, whatever, CISO, CIO, CTO can help lead that response mechanism, but it's a team sport. Is that a valid premise? I think it's valid. I think it's a little, it's driving some change via fear, but I think that certainly from an external perspective, you can protect yourselves pretty well. A lot of the breaches actually occur and some of the cases were internal or through third party partners. So I think there's been a lot of additional due diligence being put on organizations, especially as a service organization, we work with a lot of large insurance carriers as an example. So we are getting hit with a lot more requests and a lot more sort of assessments on what our controls are in that space. So we need to be mature in that space no matter what. Since again, we're providing services to clients in this space and we're collecting a good amount of claim data and build data and medical data. So I'm not as going out saying, okay, it's just when it's gonna happen and how we handle a breach if that's the case. I'm trying to figure out what are the ways that we can proactively manage our environment and be able to respond in a much faster fashion to isolate an issue as quickly as possible, which is why I'm really excited about the automation and security component within ServiceNow because properly integrated with some of the other tools that we have, there's a lot that the system can do that a human can't get too fast enough that will actually shut down and manage that risk extremely well. Do you believe at the board level there's sort of open and transparent communication that it's not about if we get infiltrated, it's that we have been infiltrated and we will continue to be infiltrated? Is that discussion occurring? I think yeah, at the board level, they're certainly more aware and not just from their participation in our board for the companies that they run themselves because many of these folks come from companies that they run themselves. So I think there's certainly an awareness. I think they're demanding and wanting to have more concrete plans on what your corporate security strategy is gonna be. So we've produced a three year plan on what that is and have presented that to our committee and are starting to communicate that all the way up through our CEO. So I think there's more awareness. I think that for whatever reason, people think that IT hasn't been working on this for some time, but they have. So there's a lot of good things that we've already done and already put in place that people just need to be made aware of it and get up to speed if you will. And then here's what we're doing to invest in trying to stop future things or to be more proactive or to have better controls, better audit practices, those type of things. What's the right regime for cyber security? In other words, who should be responsible for? It should be a single tech group or should it be a wider group? What responsibility should be? Yeah, no, it's by committee. So our committee includes our general counsel, our CEO, our chief human resource officer, our COO. So it's a joint effort. Certainly there's a large component of IT because many of it is about your defenses and your ability to manage and maintain and keep your data secure. But security is a company-wide initiative. Everything from training all the way down the associate level to not click on bad email links that no matter what you do and what type of antivirus you have and you're still going to get some of those phishing emails in, some of those ransomware emails in, those type of components. So there's a whole education component that goes all the way down to the associate level. If that's not understood by the management over those groups, then, you know, how is it going to actually be distilled down and supported? So it's a complete company effort when it comes to corporate security. And how about the business lines? Because our research shows that a lot of organizations don't, you don't even have to specifically answer for your organization, just in your experience as a CIO and a CTO. If it seems as though a lot of businesses don't understand the value of their data or the value of their IP and as a result, don't really know how to protect it. Is that something that is challenging for organizations? I think it is, at least when I've talked to other clients. Potentially, I think it less today than it was even five years ago. We certainly know the value of our data. I mean, there's been too many breaches in the large breaches in the past three years to not be aware, I have had that question asked of you and even from a business perspective, understand the exposure. So, you know, what is it, $150, $175 per claim, potentially on the data side. So people even put metrics around it so that you can quickly go through and establish what you think your overall exposure is from a dollar perspective. And that starts to, you know, open eyes when you have millions of claims or even more millions of bills. And that's your business. Yeah. So you would think you have a better understanding of it than most, but so for those who don't, how should they go about achieving that knowledge, that awareness? They should find someone that, you know, maybe some type of trusted advisor or they, you know, whether they need a higher consulting company, whether they need to go and just converse with another group, like a CIO group and ask, hey, how have you guys done this before? There's a ton of collaboration at that level where people are asking, hey, how did you guys come up with your security roadmap and what did that look like? Because the value then drives your investment decisions, right? Because that's the other thing. It's kind of like insurance. When is enough enough? You could always spend more, but at some point you're going to have diminishing returns relative to the value, but you've got to have a basis to set a budget. So I would imagine the value of the data, the value of the risk, whether it's- The value of brand, right? So outside of the hard costs of potentially, you know, getting credit rating or those type of components, you know, there's the brand discussion and I think that's somewhat invaluable. So, you know, budgets aren't just, oh, you go spend what you want, but there's certainly a lot of awareness that money needs to be spent in that area. It needs to be spent wisely, but there hasn't been an issue as to either one, we're coming up with wild budgets for security, but explaining what we're doing and why and how cost-effectively we're doing it has been very well received. In thinking about how you communicate to the board about cybersecurity, what would be the top two or three things that you would recommend that a CXO should have on his or her checklist? One is, you know, understanding all your endpoints. So understanding everything that's in your network and it's an easy to say, but it's a very hard thing to do, especially when you have external-facing applications and you have a lot of different networks. So understanding your scope of devices and understanding, you know, that way that you can understand and start to collect and fill up that CMDB and understand, okay, if I have a patch that wasn't applied, how many devices were impacted? You know, how quickly can I get those remediated? So that, you know, I think understanding the technical scope of your organization is important because it's very difficult to understand your risks, you know, rating if you will, if you don't understand the tools you have in place and where your potential holes may be. And then understanding, you know, your core data. So, you know, what is in your data that would potentially create a potential risk, even a financial risk? Certainly we go through all the insurance process, right? And even insurance now for cyber-reliability insurance. You know, the forms four or five years ago were much different than the forms that are being filled out today, much different. A lot more detail, a lot more drill-down. So even just going through that process alone drives you to actually go and collect all this information that I'm talking about today. You know, so understanding your internal environment and understanding, you know, those endpoints, understanding the scope of your data management and then I think it's around developing a sound strategy that is not just short-term, but short-term and long-term with investments, not just in tools, but also processes, training, those type of components. Do you look at security and responding to security as part of a business continuity as opposed to sort of a bespoke initiative? It is, there's business continuity and DR and both have components of security. But it is truly a way to ensure that you stay in business, right? And if people don't view it that way, then there's a lot of organizations that have been either crippled, not necessarily put out of business, but impacted extremely large financial impact with unmanaged breaches that actually went on way too long, right, and they weren't able to detect it. So I think that there's a component there where you have to really think about what's the scope of the work, what's the scope of the risk, and how much do I need to invest? And you see service now. I mean, I'm spending so much time on security this week because I'm excited about what I saw on Monday at the financial analyst meeting and talking to folks about this very important topic. You see service now as playing a role in solving this problem. I do because we're a big user of GRC. So we already went down the audit route with service now years ago. So this is just another extension I see of, not just audit controls, but being more proactive on the security side. And so since all of our information's in this platform anyhow, we have a ton of opportunity to automate and manage. A lot of the things that, again, could have potentially gone unnoticed for a period of time simply because of manpower or logs that if you ever had to review logs from some of these devices, I mean, trying to find the needle in the haystack is very difficult. So tools are extremely important in this space. Humans cannot meet this challenge alone at all. Can you just make a tag cloud? You wish, right? So. Awesome. Bart, listen, I'll give you the last word. So your impressions on Knowledge 16? I'm excited, you know, the way it's grown. Again, the way that they're really being purposeful about how they're building out their platform and truly trying to solve the enterprise problems, it to me is just, it shows a very strategic, well thought out plan by service now. And as customers and partners, that's what you want to see from a company. So for me, I'm just very pleased where the platform is going. It's exciting how much they've grown, but the way that they've been able to invest in the right things, I feel, and truly integrate things into the platform, even acquisitions that they had, and truly make it part of the platform versus an add-on, I think is really differentiating them from a lot of products that have grown in a similar manner, but become unwieldy to manage because they're just pieced together. So I'm very, very excited. Fantastic. The Cube securing knowledge for our audience here, Bart, you have full of a lot of knowledge and really appreciate you coming on theCUBE and sharing. Yeah, appreciate it. Nice seeing you guys. All right, keep it right there, everybody. We'll be back with our next guest right after this. We're live at Knowledge 16 from the Mandalay Bay Hotel in Las Vegas. Right back.