 The Volante of Wikibon.org, and this is the queue where we extract the signal from the noise by going into events, like the ServiceNow Knowledge Conference. We're here in Las Vegas at the Aria Hotel. I'm here with my co-host, Jeff Frick. He's at Jeff Frick. I'm at D. Volante. You can tweet us questions and comments, and we'll make sure that we ask them to our guests. Derek Roestes here, he's the Chief Security Officer of E-Protex, ServiceNow customer. Derek, welcome to theCUBE. Thank you very much. So, yeah, so we're talking off camera, Chief Security Officer. Anytime we get somebody in theCUBE that knows security, we love to pump them up and figure out really what's going on in the world of security. It's such a complex topic, and one that a lot of practitioners in our audience struggle with. But before we get there, tell us about E-Protex and your role there. Sure, we're a very boutique consulting company. We work specifically around network medical devices, the security of those devices, and other embedded systems. And we've been around for about four years next month. We had incorporated, privately held, and we've gone, you know, we had a rough launch just because we launched in 2009, which was not the greatest year economically and financially to launch a new company, but we went ahead and braved that. And so now we've grown, you know, in the beginning when we first got ServiceNow actually was in early 2010, and we only had five users the first time we lit up ServiceNow and got started with that. So we'd gone through those growing pains of the initial startup of a company, you know, we got our web server going, we got our email system going, we got our CRM, you know, the most important things of a new business. And then after that, we now we're starting to define some processes and needed a solution to help with that. What was the impetus for going with ServiceNow at such a young stage and only five users? Yeah, so I was actually the first employee of the company, and so my background was through service management from IT, traditionally, infrastructure and security. And I knew building the company that we wanted to use something that encompassed ITSM and ITIL type strategies. And so having that as a foundation, there wasn't a lot of options even then, and there's not necessarily a lot of options even now, but kind of going with that, then we knew that that was the platform. And so I knew it also was bringing, growing the company and bringing in new employees we wanted to ensure that we were bringing in people who understood how important it was to have a disciplined process and a software platform that supported that process. So you wanted that to be a fundamental part of the culture of the company that you had just started? Yeah, the key was we didn't want, and security especially, it's very important not to be ad hoc. We had to be very repeatable. We had a customer base that we were building that we had to ensure that had trust and integrity in our processes and how we were doing things. And so we needed a platform that would support that. And I wanted to make sure when everyone was hired and trained on that platform that they knew that was important. So what was the experience like? Take us through that. So we kind of went it on our own actually. I went ahead and we decided, and I guess some people at ServiceNow told me this is unique as we didn't use any kind of implementation provider at all. So we just got the instances, we got the basic data, the dummy data that ServiceNow had, we cleaned that out and then started with kind of the modules that were there and built a few of our own, a couple stories. Unfortunately this shows how much you need to keep track of where ServiceNow deployment is going and development is going. There was no Salesforce automation module in ServiceNow when we started. And so I wrote one in about six hours. Start to finish. You should have had you in the hackathon just now. Yeah, exactly. Now I hire people to do that for me. But six hours we had our own CRM and we started using it, got the data in there and using it for our emerging customer base. And about three months later, ServiceNow made this great announcement that the Salesforce automation module is available. So I transitioned our data. Well, unfortunately I didn't learn from my mistake and that same thing happened again. The, I wrote kind of an IT GRC module so a governance risk and compliance type module and a few months later ServiceNow did it again. Do me again. Are you sure they're just not ripping off your code? Maybe, so. Fred Lutty told us he is a famous thief. Exactly. He's out of it. Because downstairs it looks like there's a ton of kind of service providers and app providers. So was there no infrastructure, you know, kind of community of apps for you to pull from or has that really changed over time? To be quite honest, it's easy. It was easy enough, the barrier was so low to just get something written, get something going with that platform that really didn't even need to reach out too far. And now it's funny talking here at lunch with some attendees is that there's a little struggle with not necessarily finding good partners like you mentioned, but actually finding internal resources because there's a lot of competition for development and developers know this and so now they're demanding more salary and they're starting to understand that, yeah. Start their own company instead of coming and working for you. Exactly. So you're in a really kind of crazy space because you combine network attached medical devices. So you've got the medical device, you've got the HIPAA privacy issues and then you've got what was always kind of a barrier to early cloud in terms of there's all network attached. So talk about some of the unique security challenges that you guys face and the fact that you're able to overcome them. Sure, yeah. So we are, like I said, we're boutique. So as you mentioned, network medical device security is our tagline, that's what we work in. So we work in hospitals, we have over 100 sites across the country that we work in these hospitals and we kind of work with assets that traditional IT doesn't want to work with. So medical devices are one, it's not really an IT device, but it's very critical for obviously for patients, but it's critical for the business as well for hospital healthcare. And we also even work with some non-medical device stuff like HVAC systems now that are attached to the networks, cash register systems, things that IT doesn't necessarily want to deal with but have very big security concerns for availability or the confidentiality that data. And so we do assessments, audits and assessments of that and we keep track of that information in our service now instance. And now we're actually having, as service now is growing their business, we're now starting to have customers that also have service now instances and they want to get a peak in access to some of that data so we're figuring out how to integrate some of that data with them. But as you mentioned, this is a very niche, very specialized type area. And so we do these assessments, a lot of, we don't necessarily even have a direct competitor at this point in the market. That's how niche we are. But we do have individuals who say they can offer similar type products and usually what they do is they run scanning systems, almost like the service now discovery tool that they have and they go out and scan the network and do these things. Well, our business model is actually different because we do HIPAA assessments and we do a lot of things that require boots on the ground, eyes on the devices, eyes in the environment of what's going on with the medical device and who's touching it and where can they see, can a patient walk around and see some data they shouldn't see. And so that requires having actual people in there and so we send individuals in to actually do these assessments instead of automated tools necessarily. And I would imagine the devices are going to be more and more outside of the hospital as well. That's all the healthcare commercials and the insurance commercials are the world where you're wearing these things or walking by these things and it's reporting back to the doctor. Yeah, we were asked to consult on a project where a healthcare provider is sending out an electronic scale. They're sending out a blood pressure cuff. They're sending out a heart rate monitor and a couple other things to individuals after they've already seen their physician and so they can get that information there instead of having to drive into a doctor's office or something, they can get that in their home and then it gets sent to a tablet that they also have been provided and that tablet information then goes to an information repository that the hospital monitors. And so there was some concerns about the security of that information and that pass-off and hand-off and who's seeing it and who's touching it. And so there's a lot of things to look at and I have a new appreciation for these things because I work for, my boss is a lawyer and so I get a lot of exposure to legal terminology and the legal implications of saying this versus this and measuring your words very carefully. That's why he's spending your time building applications. So you guys, you've focused both on physical and logical security based on what you said before. You got to have people walking around to see what the vulnerabilities are in terms of violating HIPAA. Yeah, so we work on the physical, the technical as you mentioned, we also work on the administrative. So the policies, the lawyers, you know, how the individual organizations manage or maybe don't manage the security aspects and do they have any kind of a governance organization in place to determine. And a lot of times, I think one of the sessions I heard earlier, talked about how, it was actually a healthcare organization, talked about how doctors, they'll get research grants and things and they'll just go buy things and they'll attach them to the network and they may even hire their own IT guys that are separate from the normal IT guys. Yeah, plug this in. Because I got new grant money, so I'll hire a couple IT guys and they'll deal with it and they won't be out of the main IT department because if I go to the main IT department, they can say no. But if I go and get my own guys, well they're going to say yes, because I'm paying for them. Right, right, okay, so now, let's come back to this notion of your niche. So one of the things we've been tracking is the so-called internet of things, the industrial internet, you see these GE ads, you must love that, right? Sure, sure. The operating room is now just a room, right? And it's quite interesting, it looks like it's a big wave of data and analytics applications, so you participate really in that wave, don't you? Absolutely, yeah, we look at our healthcare customers have about two network devices and or devices that store patient data per bed. So when you look at a hospital, the number of bed counts, and that's the number of devices that they have that are either attached to the network and or have patient information in them. And this has a big impact for the patients when you have patient information, every time you go to your doctor, you want to keep that confidential more than likely, unless you're Angelie Jolie, who wants to obviously bring that to the press, but most people want to keep that information. Yeah, well, most people want to keep that information private. And the other thing is there's a lot of financial information or benefits information when you think about your healthcare, that stuff gets kind of captured up in these devices as well. And back when a hospital had roads and roads and you've probably seen these record rooms, right, where they go and pick your file off of this giant list of, well, now it's, you know, it's can all be contained on that laptop. And unfortunately, a lot of, you know, you talk about the internet of things, a lot of these devices are now mobile, they're easy to move around even in hospitals and they're becoming lighter weight. And so it's unfortunately easy to lose track of one or goes missing or something happens or you take it home to work on some case files at night. Unfortunately, it has, you know, probably every patient for the last five years on it, you lose this and then you just build a lot of financial information, a lot of confidential medical information. So let's dig into that a little bit. So a lot of your industry is around compliance with HIPAA and making sure you're not violating that for sure. But I think what you're getting to is the bad guys can actually profit from tapping into the medical network now. Yeah, there was a statistic, I'm not sure how it's kept pace today, but there was a statistic from the Secret Service and it was the black market value where they're attempting to put a value on the black market for a known good credit card was about a dollar. For a credit card that they knew that, you know, someone could go buy, get the number, it was going to work, they could go buy some information or buy some assets, get them shipped to their house, whatever, that was about a dollar. A medical record that was known good, they still had benefits and you could still, you know, the deductible, you could still keep working on it. That was about 80 to 90 dollars. So that shows you just, and this is a few years now so I'm not sure what the number is today. Why that giant number being completely ignorant? There's some speculation. One speculation is that, you know, there's about 40 million people in the United States who can't get or don't have, don't have access to, you know, medical benefits or health insurance. And so those individuals still have health problems and they still, you know, want to, if they know they need a surgery or something, they may, you know, try and find someone who can get them access to, you know, a number or commit fraud for Medicare or Medicaid purposes or something. So this is information that's, you know, it's got some value in the downside for you is just like identity theft, is if your medical information gets stolen and you don't know that and someone uses it to, you know, like check in under your name and with your information at some other hospital in some other state and they start racking up, you know, fees and things, even if the bill doesn't necessarily come to you right away before that gets sorted out. Now if you go in and maybe you get this resolved, you get an affidavit, it says I was never in this hospital here, didn't do this. Problem is, is you may have to fight with your insurance provider about the fact that someone ran up fees on your maximum lifetime benefit and or your deductible has been hit. Or you have a new free existing condition that you didn't know that you had. Someone could, we worked with a client in South Korea and, you know, this is in Seoul, South Korea. So it's only 30, 40 miles from the border of a hostile threat in North Korea to their nation. And they mentioned to us in a meeting about how, you know, it's possible someone in North Korea could essentially hack into the medical record of a dignitary, a politician, some prominent individual and could change their blood type. And this gets changed in the medical record, they come in to get some kind of work done or something happens and now they get the wrong transfusion and they could actually be like threatening. Yeah, and it sounds kinda, yeah, it sounds kinda impossible and odd, but, you know, that's a real threat to them in their country and the issues they deal with. So you've got the, I mean, the bad guy ecosystem has obviously advanced dramatically. You used to be, you know, somebody drop a virus in and make a lot of noise, hi, great, great, you know, wonderful golf clap, whatever. And now it's very stealth, right? Because they, there's different parts of the ecosystem that will get paid. Like you were talking about, you know, laptops. Somebody, don't pay somebody, go steal a laptop. Yeah, so there was a laptop that was stolen or a system that was stolen recently that I think within three months, they tracked this device down because it had some remote control software on there and it was stolen in, you know, Midwest United States and it showed up in Senegal, West Africa in less than three months. And how many people did it probably pass through on its nice little journey across the ocean? Yeah, so the, I guess the other point there is that in the, you know, traditional IT world, 80% of the money is spent on keeping the bad guys out. And only 20% on finding them after they've, you know, gone through there and doing analytics around that. So, and that has got a shift, obviously. I saw another stat that, again, this is traditional IT worlds. After an infiltration, it's, on average, it's 419 days before the infiltration is even known. Yeah, that's one of the things the HIPAA regulation deals with is a reporting, they're trying to enforce a reporting timeline, you know, 60 days for initial report, if it's over so many record, medical records that were breached, this kind of thing. The issue is that it's, the time runs after, not after the incident occurred, but after they found out about it. Yeah, right, so, yeah. So, Mike, specific question to you, Derek, is what do you guys, is that similar, is there a similar dynamic in your world, you know, your device, you know, network device world and how are you guys responding to that shift in profile? Yeah, so it's very difficult right now because medical devices in any kind of embedded system, sometimes you hear a lot of this in the media around industrial control systems, it's gotten a lot of attention, but it's very similar, which is these are systems that are largely antiquated, they're very proprietary to their manufacturers and IT organizations typically just don't know much about them and so they kind of ignore them and the operators or the owners, the individuals who shelled out the cash for these multi-million dollar systems, they don't necessarily deal with the security of that system or deal with IT about, you know, who controls this asset and who does the upgrades and how does that work? In a lot of devices too, you know, the crunch in the economy is a lot of individuals are letting the service management contracts for these devices go off and so they still need to use them for business. To give you an example, we saw, within the last 12 months, we saw a system that was a lab system in a hospital and it was still running DOS 3 and you think, okay, this is a legacy old system, they got to get rid of this. Well, they actually had only purchased it a few years ago and they had an eight year life cycle. So in five more years, this hospital will still be using a DOS 3 based system for all their lab management, all their, every lab call that comes in from that hospital will go through this system and very few people on IT are going to know how to interface with that system and do anything with it and if this hospital keeps it past that eight year life cycle, it'll probably roll off support contract because the equipment manufacturer is not going to support that old of a device anymore, they're going to try and get them to go to the new one and no one's really going to be there to do anything with it and it's going to be a big issue for everyone who uses it and owns it but no one really wants to take accountability. So great discussion, we'll come full circle now. So service now, back to service now. So what has it enabled you to do that you wouldn't be able to do otherwise? You said at the time, there was nothing else like it. So what has it enabled your business to do that you perhaps couldn't have done otherwise? The biggest thing for us is really our core line of business which is it helps us keep track of literally millions of control objectives for our customer. So we do, we have tens of thousands of audits, assessments that have been done for individual devices that we cover and then inside each one of those assessments we've got 60 plus observations and control objectives that we're looked at and then each of those have some kind of control measure or something that may or may not apply to it. So you multiply that out and we have millions of control objectives in there and in four years going from basically a spreadsheet based system just to prove the concept and then we had to have a platform that was going to be able to take all that data and help us work through it better. There's other solutions out there I'm sure but there's none that I've seen that are nearly this robust for this kind of data. That allows you to scale your business and delivers tangible business value. All right, Derek, well listen, thanks very much. I love the discussion on security. I really appreciate you coming on theCUBE and keep it right there, everybody. We'll be right back with our next guest after this break.