 from San Francisco, it's theCUBE. Covering RSA Conference 2019, brought to you by Forescout. Welcome back everybody, Jeff Frick here with theCUBE. We're at the RSA Conference in Bosconi, they finally finished the remodel, looks beautiful and the rain is not coming in, which is a good thing. We're excited to have a next guest of many time CUBE alumni. He's Sean Compery, the VP and GM of the security and risk business unit at ServiceNow. Sean, great to see you. It's great to see you again, Jeff. Thanks for having us. Absolutely, so it's been probably six months or so since we last talked, what's been going on at ServiceNow in the security space? Well, one of the things that's been most interesting is as our customers have started to get into production now with the security capabilities as well as our risk capabilities, they're realizing the benefits of having IT, security, and risk on the same platform. So when we were talking last time, we were talking a lot about security hygiene, vulnerability management, security incidents, and that's all very much mainstream now in our install base, but now folks are saying, wait a minute, if I've got IT data, risk data, compliance data, and security and vulnerability data on the same platform, what kinds of things can I now do that I couldn't do before? Right, so what are they doing? Well, big thing they're doing is they're starting to manage risk in a holistic way by leveraging operational data on the platform. So if you think about the way risk tools have historically worked, you're basically in what is essentially a glorified spreadsheet building dashboards or how to represent the various risks to your organization, but if you think about what auditors and compliance people need to do, they're essentially checking the state of all these compliance tasks throughout an organization, but it's essentially a survey, like I'll ask you, like hey, tell me about the data protection strategy for your application, you'll have to tell me, well we're using crypto or we're not using crypto, the data's in this country. Well all that data's already in service now, so how do you now automate, so we take all those mundane tasks around compliance and risk and be able to roll that up to clear, visible risk indicators, manage that in a continuous way, what we call continuous monitoring for risk, which is just a brand new way to think about this problem. Right, so I'm curious how the changing of the assessment of the risk changes over time. You've got the compliance stuff, which you just have to do, right, you have to check the box, you've got kind of your business crown jewels, but then now we're seeing with kind of these nation state attacks and political attacks and these things that aren't necessarily just trying to steal your personal information and not trying to steal your bank money, but they're looking for other data that maybe you wouldn't have assigned an appropriate risk level in a time before, because you were kind of really protecting the money and the obvious crown jewels. So how does that risk kind of profile continue to modify and change over time? Well I think that's going to be the state for forever, right, the risk profile is going to continue to modify. I think what's important for security teams, risk teams, IT teams is to make sure they're actually using risk, as we talked about last time, as their North Star for guiding their security investments. I mean we're here surrounded like in the lion's den of all these security vendors, I was just walking the halls, all the startups that are trying to do different things and there's always going to be another tool that somebody's going to want to sell you to solve a problem, but ultimately you need to be looking at the risks to your organization, as you said, the evolving risks as people shift to cloud, you know they deal with nation state attacks, they deal with whatever's going to come tomorrow and how do you guide your security investments in favor of that? And what we're seeing at ServiceNow is a renewed interest in hygiene and back to basics. How do I manage my vulnerabilities? Is my patch program effective? How am I dealing with exceptions? And what's that channel to IT? Because as you know almost everything about security is actually done by IT from an operational standpoint. So that channel of communication is something that we've been really heavily focused on. Yeah, it's a pretty interesting, as you say, we're surrounded by many shiny, many bright shiny lights and people have something to sell, but you can't buy your way out of this thing, you can't technology your way out of it, you can't hire out of it. So you really need to use kind of a sophisticated strategy of integrated tools with the right amount of automation to help you get through this morass. Absolutely, and one of the ways we like to help our customers think about this is, your teams want to be focused on the interesting parts of their jobs. They came into the security industry because they want to help save the world, right? You know, they watch some movie, they imagine some amazing role, and then when they get into the role, if they're dealing with mundane fishing response, vulnerability, prioritization, it takes the wind out of their sails, right? But if you can automate those mundane tasks using a digital workflow platform like ServiceNow, then suddenly you free that time up so they can be focused on what you were just describing, much more advanced attacks where you want the creative humans sort of focused. This is so funny, right? It's almost like any type of a job, like painting. You know, the more time you spend prepping the house and sanding the house, everything except painting, the better the painting goes, and it's kind of the same thing here. It's the boring, it's the mundane, it's the applying the patches, as you said, but it's all of those things that make the exciting part when you get there, now you can focus on real problems. It wasn't just, ah, shoot, you know, we forgot to apply that patch two weeks ago. You're reminding me of, I think my dad taught me a measure twice, cut once? That's it, that was it. That was it. Yeah, yeah, yeah. So it's absolutely right. So one way to think about that is a concrete example is attack surface. So a lot of people on this hall are talking about your attack surface. What are the areas that can be attacked within your organization? Well, one of the best ways to reduce your attack surface is to manage your vulnerability program in an effective way, is if you can deal with patching much more efficiently, patching the right assets, the ones that have active exploits that are available, then suddenly your inflow of incidents reduces, and then you automate the incidents that remain, and then suddenly you've got a massive time savings, versus if you just sort of scatter shot said, all right, team X is going to work on vulnerabilities, team Y is going to work on incidents, they're really not going to coordinate, and they're especially not going to coordinate with IT, that's where things start to fall apart. Right, right. So we're here in the four scout booth. So how long have you guys been working with four scout? How do the two systems work together? Yeah, so we've been working with four scout for a while, we've actually got a number of integrations that are live on the ServiceNow store, and in fact we have customers in production using four scout. So what we really see with four scout and service now is a couple of things. First off, just on the asset management, asset discovery side of the house, four scout has a wealth of capabilities around giving us information about endpoint assets, whether they be traditional assets or IoT assets, and we can feed that directly into the CMDB, our configuration management database, to help manage the overall assets within an organization. So that's sort of step one, four scout is a terrific partner to help pull that data in, and then the second thing we can do is we can then using the security capabilities inside ServiceNow, we can trigger actions inside four scouts environment to then block, remediate, isolate when we see something bad happening related to an incident or a vulnerability that we discover. Right, I just can't help but think, and I know asset management is a itty-bitty little piece of the ServiceNow offering, and all we hear about, four scout is just going in and finding out all kinds of stuff that you had out there that you've been on like, who found it first? You guys in the asset management or the four scout sniffer, but I imagine a lot of that stuff is not in your asset management system because it's things that people have just plugged in here and there and along the way. Yeah, well we have a discovery capability as part of ServiceNow, which is fantastic, and that is primarily focused on server assets and the relationship between those server assets. So if you want to understand what is the total footprint of my ERP infrastructure, the load balancers, the network equipment, the servers, we can do that very, very well. What we really rely on, come to like, four scout to help us with is, like you said, somebody plugs something in on the wireless network, on the local network, we don't know what it is, and four scout can help us, what is it, where is it, and that information is changing so quickly that it really helps us out to have an integrated solution. We've actually got a customer from the state of Utah who's in production now with 60,000 devices being managed with four scout and ServiceNow working together. Just curious if you somehow integrate those back in and say, you know, it's not just me plugging in my phone but it's actually something that needs to be more actively managed. If there's a discovery process there within ServiceNow, or is it mainly just temporary stuff, plug it in, plug it in, out, plug it in, plug it out. Yeah, no, I wouldn't think of the integrations with four scout as temporary in any way. It's just more, it's more dynamic environment. People are plugging systems in. Typically you want to do that in an agentless way. You don't want to have a heavyweight agent on the endpoint. That's what four scout's really known for, is discovering, analyzing what these devices are. And for us, the more incoming data we have into our CMDB, the more valuable that is to our customers. And so we're really excited to continue to do more with four scout. Great, all right, I'll give you the last word. What are your priorities for 2019? Oh, priorities for 2019 is really to build on what we just announced. So Madrid, our major ServiceNow release, just hit today. Congratulations. Yeah, thanks very much. We have an exploit enrichment in our vulnerability system now, so we can know, you know, is there a phone? How critical is it? But also, has it been exploited or not, right? Is it a publicly available exploit? Does it require local access, remote access? So that's, we've done that on the security side. We did some continuous monitoring that we already talked about, but the big thing for us at ServiceNow was mobile in 2019, right? So the big capability we announced is native mobile capabilities. So essentially, we're positioning everyday work as the next killer app for mobile, because as you know, ServiceNow is all about interconnecting all these various departments and making these classic processes, digital workflows. And now you can have that same sort of consumer grade mobile experience on your enterprise infrastructure. And so being able to build that out throughout all of our products and continue to drive value to our customers is what we're really excited about. I just can't help but think of Fred coming out. I think in like 2015, with like the first, I might be off by a year or two, the first, you know, ServiceNow on mobile and the crowd went wild. And it was awesome at the time, right? That was essentially a scaled down web capability that I put inside of a container. Now this is native mobile. So GPS, Face ID, 3D Touch, to use iOS examples, are all capabilities you can expose in a codeless environment to developers. So you can build a custom application, custom workflow, and you don't have to know anything about how to code, and the app can get pushed down to your user's devices right away. Very good. Well, I think that's a good place to focus on. Yeah, absolutely. All right, Sean, well thanks for taking a few minutes to stop by. Of course, thanks Jeff. Great to see you. It's a pleasure. All right, Sean, I'm Jeff. You're watching theCUBE. We're at RSA in San Francisco. Thanks for watching. We'll see you next time.