 Las Vegas, it's theCUBE, covering Knowledge 16, brought to you by ServiceNow. Here are your hosts, Dave Vellante and Jeff Frick. Welcome back to Knowledge 16 everybody, this is theCUBE. theCUBE is SiliconANGLE's flagship program. We go out to the events, we extract the signal from the noise. Alan Linewanda is here, he's the CTO of ServiceNow, CUBE alum. Alan, great to see you. Thanks guys, thanks for having me. Nice job in the keynote this morning. All right, bring out your inner zuck, you know. What's happening in the world, your world of hoodie, hoodie land. You like that kind of thing, right? I loved it, it was great. How does it not live by the way? We bring out our inner Britney Spears with these things on it, so inner zuck is way cooler. Yeah, I mean what's happening in the world of enterprise cloud is really sort of expanding the ecosystem, beginning to get more developers on the cloud, beginning to look into new geographies, really beginning to expand the customer base beyond where we were last year, we were talking about this, right? Last year we were talking about educating people on the cloud and getting people to really understand what the cloud is. And now they're beginning to adopt it, they're beginning to adopt it and sort of leverage it across the enterprise and it's really just an explosion, it's really exciting. So how have you been spending your time in the last 12 months? Well, you know, last 12 months we've been expanding our infrastructure and operations teams. We've been building the backend systems to be more scalable. And I've been out talking to a lot of customers and a lot of partners as well. Another thing we did in the past 12 months that's really exciting is we made our cloud what's called FedRAMP compliant, which means that I know we can address a larger portion of some of our federal government space as well. So don't hate me for saying this, but when we first met service now I was like, wow, that's a nice cloud. But it's getting to be a big, nice cloud. I'll go with bigger and nicer. So you're scaling, you know, in a pretty substantive way. That's right. Talk about those challenges. Well, there's always challenges when you scale up infrastructure and you scale up operations. There's always challenges in terms of doing things like wanting to follow the sun. So you can always have people there 24 by seven no matter what geography you're in. There's always challenges in terms of operating at scale. It's one of those things that until you do it you don't know how to do it really, really well. It's kind of like swimming in the deep end as I look out at the pool here right now and then. So for us it's been a little bit of building our muscle memory up, making sure we're ready for events, making sure we know how to deal with operational issues, and also trying to make sure that we can scale to match the needs of our customers. We're seeing our customers put more data in the cloud. We're seeing them run more operations. We're seeing them store more information from different departments and build apps. And all that means that we need to think about scaling both the application tier and the infrastructure tier in ways that sort of really pushes the edge. So global cloud adoption obviously, Frank a couple years ago called it the cloudification of our all industries. And you're seeing clouds pop up everywhere. You've got sales clouds, you've got marketing clouds, you name a cloud, somebody has Google Docs going crazy. Because ServiceNow's peeps, if you will, are IT, are you able to, are your customers able to deal with cloud creep in a more ordered manner? Can you talk about that? Well I think because, as Frank would say, our homies are the IT folks, they're used to dealing with technology. So you're not used to coming in from the marketing side or the sales side. You're coming into IT folks who understand how to operate these environments. And because they understand how to operate these environments, extending that out to the rest of the enterprise is almost empowering for them. You'll recall Frank talked about on Monday how IT isn't an apartment anymore. It's sort of embedded itself in all the other departments, become the thing that really drives the backbone of the enterprise. So what we're seeing is that we go in through IT, generally, and that's right, that's sort of been our base. But once we're in, and IT realizes that they're not the guys sort of stuck fixing the printers and working on server rooms, but they're the guys that can go to HR, they can go to finance, and they go to facilities and really make them better and automate what they're working on. They kind of feel really jazzed about it and they come kind of really excited about working in those other areas of the enterprise. Do you still get a lot of friction from customers about security, we want it on-prem? Do you still hear a lot of that or is that sort of yesterday's news? No, I think generally people are always concerned about security. We have a mantra and we say this all the time and that is our customers data, we treat it like our own. So from our perspective, when a customer trusts us to put data in our cloud, we want to make sure it's secure. So we give them lots of different pieces of functionality. We give them functionality at the hardware level, at the software level, at the platform level to make it as secure and as tight as we could possibly make it in the environment. And in different geographies, you hear about these things more often than others. Perhaps in Asia, they're a little more conservative, a little earlier to adopt these sorts of things. Perhaps in the United States or in Europe, we're seeing faster adoption in other areas. But I kind of wonder if we're gonna see a leapfrog effect. You've seen some laggard geographies, perhaps that are more resonant because of the security issues, but there are also the geographies that on the consumer side are really pushing the envelope, South Korea, China, places that are sort of zoomed past other people. And I think it's a concern, but I'm hoping that over time, as we prove and gain trust and employ technologies that will really make it less of a concern. And how do the different kind of regulations in the different GEOs help you define almost a different spec? And are there kind of best practices you can use that are driven by maybe a more stringent regulation that actually helps you build a better cloud for all of your cloud? Yeah, I mean, you're right. I mean, you asked about different geographies and previously asked what I've been doing for the past year. I've been reading a lot of those regulations, and that's a good sleeping material. But what you'll find is that people are generally concerned around making sure the data is sovereign within their environment. That's why we have all these data centers and these paired in different sovereign regions. They're also concerned about making sure that, let's just call it what is, it's a snow in effect. They're worried about our government, the NSA spying can reach into their data and extract it back out. So one of the things we've done in the past year is we've released technology that allows people to encrypt data on their premises before it ever hits our cloud. So if the NSA was to come to us and say, give us that data, we literally couldn't unlock it for them. How do you do that? Is that an appliance to somebody? It's not appliance, it's a virtual appliance. So it's a proxy. So we stick the proxy behind the firewall on the customer premise where they installed their own key and that key can be rotated on their own schedule every hour, every day, probably more like every quarter, but they rotate it on their schedule. And when they go to connect the service now, the browser connects that proxy and then based upon rules that they've set up on the proxy, fields are encrypted. Maybe people's names, maybe their home addresses, maybe seller information, stuff they're really concerned about that could get broken into. And when it comes over to our site and gets written, it's completely gibberish from our perspective. Yeah, so you've got nonsense to you or to anybody who sees it or if you ever had to give up because of some government action, nobody would be able to read it. I mean, the way we think about it is and the way we address some of the geographical data sovereignty concerns is if a customer says, I'm concerned about putting data in the cloud because of data sovereignty concerns, I say, well, that's great. If the data is actually at the edge in your data center or from the point it leaves your data center, it's nonsense and gibberish to us, did it leave your data center? If a tree falls. And you sort of play that out a little bit and because of all the regulation, there's the law and then there's the interpretation of the law. So I'm not a lawyer, but I think when I have these discussions with the security folks, they get it and they're able to sort of extrapolate and triangulate down to a solution that works for them. Well, it's definitely gray area. Now I should know this, but how about like data locality? Germany, obviously is a big one. I know Dan in the past has shown sort of where your data centers are building that out or is it pretty much status quo or where do you stand there? Right now, we're continuing to status quo. We do have data centers in the European Union. We have them in London and Amsterdam, so that's where customers would go. We have them in areas where data sovereignty is a big issue. Brazil, Canada, Australia, things along those lines. And Asia, countries along those lines. But again, customers are in a particular geography and they're putting data that they think is going to be of a concern to leave their border. Then we just tell them to encrypt that at their side. Okay, and that, at least so far, satisfied the requirement. You know, there's always corner cases. Well, you have customers in Germany. Exactly. You know, we've seen them up on stage and day one, they're talking. I like the accent. I understand those guys. I saw them at the party last night and they're hanging out with them. They seem really happy customers, so. Right. Okay, so that's cool. Okay, so when you think about cloud adoption and its pace, what are you seeing as sort of the next wave? What do you forecast there? Well, I guess the short answer is we're trying to see people really move into other verticals. One of the biggest waves we're seeing is customer service. You know, we launched that app here at Knowledge and really seeing customer service and customer service requests and having that tied into other assets within our system of record is just an explosion we're seeing. We're seeing that application, that vertical and every customer meeting I've had, people have said, and this customer service thing, how would that work? And how does that tie together? And I think that's really super exciting. Another exciting area for us, kind of going back to the security vein, is the security operations tool we launched. Let me tell you a little bit about that. When we, well, when I first came to service now a number of years ago, when a security event would happen, because we all have them, it would be ignorant for us to say we don't have security issues and things we raise our head up and go, we should take a look at that. What we'd generally do is we'd have a conference call and we'd sort of like work it out. But what you want to be able to do is have a process that says when somebody pulls the fire alarm, everyone knows how to get down the elevators and orderly file and who calls the file in Marshall and who notifies the news and how does all that happen? And we wanted to have that same process. So we developed that process internally and then once we did that, we realized that, you know, other people might benefit from this. So the security operations management portion that you heard Sean talk about on stage yesterday is another area we're seeing just grow like gangbusters. So essentially what you described is you codified the response plan and made that available for your customers. Who does that inside of an organization? And it's not one person, is it? Well, no, generally it sits inside of a chief information security officer under the CIO and that's the person who's generally responsible for security response. But being the guy that sort of had to be on the other end of that call, I need to know when I have to call Frank, I need to know when I have to call Dan, I need to know when I need to think about calling lawyers or calling the news media and without, you know, and of course these things always happen at two in the morning, three in the morning when you're, you know, not exactly the most awake on the planet. And you need that pattern recognition if it's written down or it follows a workflow, it's so much simpler and your response and your blood pressure is so much lower that it just gets things done faster. Yeah, you're right, what do I gotta do? I know what to do, it's right there. Yeah. It's documented. So it sounds like you're sort of brought in to a lot of discussions around security with customers, is that true? Yes, it is. May I ask you a question? What should be on a CXOs checklist when he or she needs to go communicate to the board about security in this day and age? What are the two or three most important things? I think the two or three most important things they need to communicate is what is their security incident response plan? So if I'm a board member and I have a CISO or someone charged with security, I wanna know have they documents a security response plan? Have they exercised it on a regular basis? And do they know, have they tested it? You know, have they run the fire drills? Have they run the proper processes and procedures? I think the second thing that they wanna do is they wanna be able to understand what we like to call the attack surface of their enterprise. We have a particularly interesting and narrow attack surface. We run one application called ServiceNow. We run it 35,000 times across the planet, but we run one app more or less on the production cloud. But if I'm an enterprise IT, CIO or CISO, honestly, I got a much bigger problem. I'm running tens or thousands of applications that I don't know the surface area. I don't know where the holes are. I've probably interconnected them in a thousand different ways in trying to describe that surface area and understand the vulnerabilities behind it, which leads to what risks are in my organization and those risks are the things that will then be penetrated and then be taken advantage of to generate an event. So I would say, do I have a process and then do I have a process to identify risks? Because those are the risk areas that are probably gonna generate a security vent. That's why I think about it. Those are good. I was gonna say, and do CIOs appreciate that if they accept the fact that there are safe clouds, which I think most of them do at this point, that they can offload a chunk of that to you for this application and potentially others other places and reduce their complexity, their attack surface, at least by a little bit, by kind of pushing a piece of it off to you. Yeah, I mean, the idea is that the data that they can use to respond to the attack is something we can help them manage in the process. But also if they do write enterprise apps and they live within our cloud, then their internal surface area goes down and we're responsible for that other portion of it. Because there's a real partnership between the enterprise and us to make sure that we have a cohesive security plan together. So I've been saying all week, I think you guys nailed it because it's all about the response. Yes. And really, I mean, you're really one of the few companies, frankly, that's talking about that. There's still so much talk about the perimeter and everybody realizes, okay, we gotta shift it. A lot of talk about analytics and finding the bad guys when they get in. There's very little talk about the response and that's what it's all about. You talked about pulling the fire alarm, having an orderly way to exit the building. Are boards giving the resources to their, whether it's security or IT organizations or their businesses, to practice response in your opinion? I hope so, is a short answer. I don't know. I don't know what other boards are doing but I really hope so. But the key in all these events, whether it's an operational event, whether it's a performance event or whether it's a security event, is actually not that the event occurred. It's how you respond to the event and how you prepare for the next one. And I think understanding what that response pattern is in preparing, because another one will come, is super important in any operation. So you said recently, at the top of this, you said, look, it'd be silly to say that we haven't been infiltrated. Of course, it happens and it's going to continue to happen. I didn't say we've been infiltrated. I said we have security events that we need to react to. Events. Anomalies that I've been selling it to in the morning. Well, but so that brings up a question then. So I use the term infiltrated. Is there a transparent discussion going on at the board level that if we haven't been hacked, we will be hacked? It's inevitable. There will be events that occur because as little as four or five years ago, we would say we've never been hacked. You hear that. You used to hear that all the time at conferences like this. You don't hear it so much anymore. Is there a sort of change in the discussion that's going on at the board level? I think there has to be. I think that there are, one of the things that's interesting in the industry is there are better tools to identify those vulnerabilities and identify those risks. You talked about people at the edge and finding vulnerabilities and finding zero-day attacks. And so they know that the attack surface is being pecked at, if you will. Making sure that people know how to respond to that, making sure that they know how to react to that. And if they're not being given time to do it, then they should start taking the time. What's the nuance between event and infiltrated event? Is somebody trying and infiltrated? Is somebody succeeding? Or can you describe that? In my mind, infiltrated is targets, customers, credit cards are online somewhere. And an event would be, we see an anomalous traffic pattern that we think might be something we want to pay attention to. Let's hop on it. An anomalous traffic pattern, someone's not gonna let the door, they're not gonna let the door in a weird way we haven't seen before. They haven't gotten let in yet, but we're gonna go attack that problem anyway. Or maybe, yeah, there may be traversing different servers and knocking on the door. Is that? In our world, it's not, you don't actually get to the servers, but we'd see it at the network edge or we see it at the firewall edge. And we'd see, there are signature attack patterns that exist on the internet and you see these things occur. And you wanna be sure that when you see such an attack pattern occur, you know how the infrastructure can react properly. So you're using analytics presumably like others are to. Absolutely. Sort of determine if people get in, when they get in, what they're doing, what their behavior is. Yeah, the term we use is signal from noise. We spend a lot of time with analytics determining security signal from noise. And you obviously dog food, drink your own champagne or whatever you wanna call it. But you're also using other standard industry tools. Absolutely. Like everybody does. Absolutely. And the difference being you're applying, and some of your customers are doing this, I think it's signed 4, Q4, 11 and Q1 and the number keeps growing. Good numbers, I don't know. But you're using, I think that's what I recall from the conference calls, but you're using obviously your own security capabilities in service now to respond as you would recommend to your customers. So what would you recommend to CIOs and CISOs that are struggling with this problem? They've spent way more money on building motes deeper and wider than they have on other response mechanisms. What would your advice be in this day and age? It's a tough question. The whole industry around that. I think that being able to forensically now analyze the data, make sure you have the right data collection. Because there's a lot of ways to, once you've got the data, to sift it and find signal from noise. The harder thing that I think people haven't internalized and sort of taken a step back and asked themselves is, am I collecting the right data? Do I have all the right data points? Do I know if someone's knocking at the door? It's real easy to find it if someone broke a window in their house and they stole your jewelry. That's an after the fact artifact that you can go find and you can analyze. But how do you know if someone's tapping on the glass? How do you know if you have that data and how do you know if that data stream? Because if you've got that, that's gold and you have to then analyze that and there's lots of industry tools. There's their splunks. There's the quality to look for vulnerabilities. There's all sorts of stuff from Juniper and various vendors that can help you harness that data. So I would ask, am I gathering the right data? Do I have the right data streams? Am I putting in a way that can be interesting and useful to us? And then I would take a look at a tool like ours to understand how to respond once I know I've got that signal. And do organizations understand, Ellen, the value of the data, their assets, their people? The bedroom door is at the bank window. And if not, by implication, if not, is that hindering their ability to properly secure their assets and IPs? And that's to secure. That goes back to the whole surface area discussion, right? If I've got tens of thousands or hundreds or thousands or whatever the number is of applications, understanding what are those applications storing? Where are they storing it? What ports do they have exposed? What network patterns are you expecting to see to them versus not? That's a tough problem. That's going to take us a little while as an industry to get through, but I know there's a lot of folks working on it. But the simple part is everything I need to know I learned in kindergarten, which is the fire drill, which I think is really interesting in terms of practice and going through the practice and putting the processes in place. And actually, we used to hear a lot of talk about chaos monkeys and people letting chaos monkeys through to test these things. Is there a security kind of equivalent of the chaos monkey where somebody drops something in to kick off a process not only for your sniffers and your collectors, but more importantly, the people in process to then execute the response? Yeah, there is a series of tools that we and others use called penetration testing, which sounds a lot dirtier than it is. And that's really around trying to penetrate various environments to find out where the holes are. There's also things called vulnerability analysis tools that can actually look at how your systems and processes or things are interconnected and find well-known vulnerabilities. That's what we just launched in Helsinki with our security operations tool is you can have vulnerability analysis, that vulnerability analysis database. So what vulnerabilities are identified by the government can automatically generate security events. So you can say, hey, we're about to have a fire, let's go run the fire drill. Speaking of government, what's happening with the government in cloud? I think that we're starting to see more adoption from the federal government in the cloud space. I think, you mentioned before about people putting things in their own data centers. I call those guys server huggers, right? I used to be a server hugger. I used to love to hug my servers. I'd go through the blinky lights and they made me feel good. But I think the government is still trying to hug servers at times. And I think they are beginning to adopt the cloud. I think they're coming far more agile, far more willing to move some of that data outside of their own environments. You know, when you get to the three other acronyms and the super top secret stuff, I don't expect that. But there's a large array of government from regional, federal, state governments that can really make use, they're really just enterprises, running processes on our behalf for the citizens of their region, right? So I think there's a lot of things that can happen in the government space and we're beginning to see that adoption move pretty aggressively. It's kind of ebbed and floated, Vivek Kundra, when he was sort of mandating cloud first and then, you know, then you get a new administration and then the very high profile, you know, CIA, Amazon, IBM, that whole thing. There was a breach in the federal government about a year ago as well, I'm forgetting the name, was it the VA? Oh yes, yes, right. There's some very bad thing that happened there and it kind of made everyone kind of, I was like, I'll get arms on the cloud but I think they're reaching back to us. But then there's the big data, you know, thing where a lot of the data's in the cloud and I want to move the data so you do the analysis in the cloud and they're doing a lot of streaming of data and so it's kind of inevitable, isn't it? I think when you look at making processes run efficiently and talking about automated workloads, you're going to look at tools like ours, you look at other tools that are in the cloud and I think it is inevitable that eventually using resources beyond things in your own four walls is where we're going to end up. Well, somebody had this, one of the keynotes I think it was today is we don't worry about, you know, infrastructure provisioning, we don't worry about all the security infrastructure. That was one from REI in the keynotes. We don't worry about database, schema, right? Yeah, that's right, that's right. We worry about our business stuff. You let us worry about that. Yeah, the big switch is on. I hope so. All right, Alan, we'll give you the last word. Things that are exciting you that you've seen this year or, you know, thoughts on Knowledge 16, just whatever you like to choose. I'll tell you, the one thing I thought was most exciting this year was sort of the different types of applications we're seeing people do within the Enterprise Cloud. I mean, everything from, I don't know if you're down in the CreatorCon hack zone, but there is an application to actually make, you know, alcoholic beverages, you know, you could pick what's your orange juice and which vodka and which gin, and you could use a service portal app to mix your mixed drink, which I thought was both useful and clever. There was things to control drones. There was things to do, applications to control drones. There was applications to do any number of wildly imaginative things. So the thing that gets me out of bed in the morning, the cloud, the infrastructure, the security, all that is kind of meat and potatoes. But the thing that just makes me leap out of bed and work with the customers is what they do with that environment. It's just awe-inspiring. So I'm just thrilled to be part of it and thrilled to see everyone here participate in the knowledge. It's excellent. One of the things that's not cloudy is all the innovation that's going on on top of the ServiceNow platform, Ellen Lahnwin. Thanks very much for coming to theCUBE. Thank you guys for having me. Take care. All right, keep it right there. Everybody will be back with our next guesses of theCUBE. We're live from ServiceNow Knowledge 16 in Las Vegas. We'll be right back. This is a tale of two...