 Live from Las Vegas, it's theCUBE, covering Knowledge 16, brought to you by ServiceNow. Here your host, Dave Vellante and Jeff Frick. Welcome back to Knowledge 16, everybody. This is theCUBE. theCUBE is SiliconANGLE's flagship product. We go to the events. We extract the signal from the noises. This is our fourth year at Knowledge. Sean Convery is here. He's the vice president and general manager of the security management business unit at ServiceNow. Sean, thanks for coming on theCUBE. Sure, glad to be here. A lot of talk about security this week. You guys are making forays into that space. It's a really important problem area. Every year I look back at New Year's and I look back and say, okay, are we more secure than we were last year? I read Art Coviello's note and I text them and say, all right, we're no more secure. What's going on? But it just seems like the bad guys just keep getting better and better. So state the problem that organizations have with security and let's talk about how you can help. Sure, well I think you've got an organizational challenge with the scope of security tools that organizations are using. So they are dealing with silos of information even within security. So we had all hoped years ago in the security industry that by now we'd have a single pane of glass where we could see every alert, every piece of information and it would magically be contextualized with all sorts of advanced machine learning. And it just hasn't proved to be true in actual deployments. So organizations have, yes, they have some aggregation but they have other silos of information and when things go bad, the investigative process takes a long time and then the remediation process involves IT and that interaction between security and IT has been a challenging relationship to be candid. Well, you underscored that on the keynote, I think it was yesterday and you guys had a little tongue-in-cheek interaction between IT and the security team. What's the right regime for handling cybersecurity in your view? In other words, how should be structured? Whose responsibility is it? What responsibilities do they have? Well, I think the most traditional organizational model that I've found makes sense is the chief information security officer and his or her entire organization reports up into either the CIO or sometimes the general counsel, sometimes an audit lead. So that piece really doesn't matter as much as the CISO and the CIO having a very strong relationship because what typically happens is the security team will have operational responsibility for all the investigations when something goes bad, there's some sort of incident but then when the change needs to be made, even something like a firewall is often run by IT teams, not by security teams. So once you make that recommendation, you're actually interacting with IT and this is where having things like agreed upon SLAs in advance so that IT and security know what to expect from one another really helps. Has a failure equals fire mentality created somewhat of a lack of transparency over the years in your view? Say more about that, I'm not sure I understand the question. If I'm responsible for security and I fail, I very well could get fired. Does that lead organizations to be less transparent about the threat or even sandbag the threat or obfuscate the threat? Sure, I haven't heard many stories directly about that from certainly anybody that I've talked to directly. It feels to me more like they're just struggling to figure out a way to make things better. I think organizations genuinely are passionate around solving this problem and they frankly just struggle to figure out the right balance of investment in people, investment in technology and it's keeping in mind, we're not that far into this journey. Only 15 years ago, we all thought perhaps a firewall was good enough and we just needed something protecting us from the big bad internet and of course the evolution over the last decade has just been more and more threats and more and more technology which feels like a treadmill we need to somehow get off of. But to continue on that thought, so as recent as four or five years ago, I heard companies stand up or individuals at companies stand up and say we've never been hacked. And so do you agree there's a recognition that it's not if it's when we've been hacked and that level of communication is becoming more transparent at the board level? Is that fair premise? I do think that's fair. I think the evolution that I've seen has been, we are impenetrable, right? There was a brief moment where some people thought they could actually achieve that. Then there was the second phase which was yeah, well we get attacked from time to time but we have a great response process but now I think we're in the third phase which I think is the most honest phase which is large organizations are operating under an assumption of persistent compromise. So they're assuming somewhere in their environment they have already been compromised. And so that's what really makes the response piece such an increasing focus for chief information officers and chief information security officers. Yeah and I think you guys nailed it because your value proposition is all about the response, is it not? It is, it's about taking the teams you have and making them more efficient, making them more effective and we've been in the security industry paying candidly lip service to the notion of making teams more effective and the importance of individuals in the process but always in the service of selling you some magical technology that's going to make this problem supposedly go away. And we finally realized I think as a community that we have to make these teams more efficient, we have to make them more effective and our security operations product from ServiceNow is really focused on really operationalizing and modernizing the security operations center in the same way ServiceNow did to the knock years ago. Because you've got kind of a natural conflict which you want where the security folks are kind of keeping an eye on the IT folks. So there's a little bit of separation on church and state at the same time it's the execution vehicle to put up better security and or take care of incidents and responses. So I would imagine that's kind of a delicate balance and as you said helping those teams work better together while still kind of keeping an eye on each other. Interesting conflict. Well I think if you look at the evolution of the security industry as a whole it's been security companies selling security technology to security buyers. And that has been the sort of, to use Frank's term the rinse and repeat model of security for some time and that certainly has its place. We're going to continue to evolve our detection and enforcement technology but it's really a realization that these security and IT teams need to be able to work together. And so having a common platform where the security team can have their own protected data storage, their own protected processes but have a direct integration to IT without having to have either side feel like they're dealing with the other organization as a almost like a black box where they don't have visibility into how the processes run once it's out of their hands. So I'm going to test another premise on it we've got a security expert on so I'd love to test my assumptions. You buy the following that the difficulty in valuing data and IP and assets makes it hard for companies to appropriately secure those assets. Yeah, sure. So I think organizations have people to protect they have data to protect they have assets and information to protect and then they also have another component of this which is interesting is the compliance requirements, right? So oftentimes they'll actually be tension between the risk and compliance organization and the security organization as they decide for example which vulnerabilities they want to address. You know, some compliance requirements might have a limit say, you know you have only a 30 day grace period before a vulnerability needs to be fixed. So even if it's a low priority vulnerability you might have that be higher in the queue than something more critical that actually will impact the security of the organization. Because it's just interesting kind of risk mitigate security has risk mitigation as opposed to security has a bigger better mode with an S your alligator. And in trying to think of how much do you spend how do you allocate those resources when asymptotically you're never going to get to 100%. But how are people kind of making those trade off decisions to figure how much is the right amount? Because it's never enough I would imagine but you know how do you kind of balance what is the right amount? How do you allocate the resources between the less critical but maybe the regulatory and compliance versus the more critical which has bigger implications on the business or it's a special class of data? Sure, I think the broader organization has struggled to understand that investment level because there's traditionally been kind of a almost an insurance like mindset to buying security. It's like well you know we have to prepare for this potential attack but now back to my earlier point that people realize they're constantly in a state of compromise. It's a little bit easier to make the investment but what has been lacking is the visibility into the posture of your organization as a whole. So you have in the past fallen back on statistics like the number of alerts your system generates which really says more about how well or poorly your system is tuned as opposed to how effective your security practices are. So when you look to invest now I think with the security operations capability you can start to see you know what was my incident count last quarter? What is it this quarter? How many of them are false positives? You know show me as the chief information officer the critical business services that I have tying into the IT data as we talked about earlier and then show me the vulnerabilities attached to those most critical services. I guarantee you get in front of a board and you show you know these are the vulnerabilities that I have against this infrastructure and I do not have the resources to fix them. That's a very short conversation. Because you say they're going to start writing checks. Brings me to my next question which is if a CIO comes to you and says Sean I got to present to the board. I got to develop a communications plan for the board. What are the two or three most important things I should have on my checklist in that communications plan to build that communications plan? Well I think the first piece which again I think is the missing piece we just talked about is some sort of relationship between the investments you're making and the risk to the specific services that are most important to the organization. Right so if you can provide some metrics and say okay you know this is my exposure on these services that the entire business depends on that feels like the start to a fantastic conversation with the board whereas coming in and saying you know last month we had a thousand alerts or we had you know 50,000 vulnerabilities like that's not meaningful to a board of directors. So you have to be able to get more specific on what matters the most. And then I think following off of that would be able to talk about the staff investments you're making and the effectiveness of that investment. So you can actually say all right we have a security operations team of 10 or 15 would have you and here's how they break down in terms of what they're doing here's how a head count put into that system affects the following results on the other end in terms of a shorter time to respond a shorter time to identify. Do you feel as though organizations are well first of all should and are they treating security as a component of their business continuity plans? Should they and do they? It feels like they are. It feels like you know when you talk about robustness and availability and a lot of those terms carry over very easily between sort of the DR world, the security world business continuity as a whole. So I think that's changed. I think we're on the right course there. In the financial analyst meeting you shared some data and we've talking off camera about some of the data we've seen a couple hundred days when an organization gets infiltrated to actually detect that intrusion. Is that a metric? Now who knows what the real number is on average but it's a long time. Is that a metric that we can track? Sounds like we can. And can service now help compress that time to detection? We can and the way we do that is by taking that original problem statement I articulated at the beginning around these silos of information and connecting them not only to one another but to IT and the broader enterprise. So suddenly what is a manual process to track down the business owner? Something very simple. Tell me who owns this particular IP address that's being attacked right now and tell me the service that that IP address is supporting. Is this my summer company picnic planning website or is this my financial reporting infrastructure? Those two would result in obviously very different responses. So it's early days, you guys just announced I think at RSA right? We did. And so how's it going? What's the interest been? I mean it's obviously a big show for you. I said we've been talking about security all week. I think it's one of the most exciting things that we've seen from service now. There's a lot of them. We put that right at the top. What's the feedback been? What's the momentum like? I think the momentum is strong. We announced four customers in Q4 another 11 in Q1. So getting good growth, a lot of global 2000 interest. So it tends to be the larger end of commercial and larger enterprise that has the most to gain from a solution like this. And just on a more personal level I've been doing security for a long time. Long enough that I don't consider myself an expert because I realize just how much we've struggled as an organization and as a community. But being able to see a shift towards people, towards process, towards being able to make a team more effective, give them the information they need, give them the relationships with IT that can allow them to be more effective in their response. You know this feels like a new category of security technology and one that really leverages service now as expertise in workflow, orchestration, automation, single system of engagement. And these are not security problems. These are enterprise problems. So we're taking that expertise and applying it to the security buyer. Excellent, Sean Convery. Thanks so much for coming to theCUBE and good luck with solving this hard problem. Yeah, thank you. All right, keep right there, but back with our next guest right after this. This is theCUBE or live from Knowledge 16 in Vegas. We'll be right back.