>> Live from Las Vegas. It's the cute covering knowledge sixteen brought to you by service. Now carry your host, Dave Alon and Jeff Rick. >> Welcome back to knowledge. Sixteen. Everybody. This is the Cuba Cuba Silicon Angles flagship product. We go to the events we extract. The signal from the noise is their fourth year at knowledge. Sean Connery is here. He's the vice president and general manager of the Security Management Business Unit at service now. Sean, thanks for coming on the Cube. Sure, I hear a lot of talk about security this week. You guys air making forays into that space. It's a really important, you know, problem area. Every year I look back and new years and I look back. It's OK. We more secure than we were last year. I read our Cove yellows note, and I text them is they are. We're not more secure. What's going on? But it just seems like the bad guys just keep getting better and better. So state the problem that organizations have with security. And let's talk about how you can help. >> Sure, Well, I think you've got a new organizational challenge with the scope of security tools that organizations are using, so they're dealing with silence of information, even within security. So we had all hoped, you know, years ago in security industry that by now we'd have a single pane of glass where we could see every alert, every piece of information. And it would magically be contextualized with all sorts of advanced machine learning. And that just hasn't proved to be true and actual deployment. So organizations have yes, they have some aggregation, but they have other silence of information. And when things go bad, the investigative process takes a long time, and then the remediation process involves it, and that interaction between security nights he has been a challenging relationship to be candid. >> Well, you you underscore that keynote. It was yesterday, and you guys had a little tongue in cheek. You know, interaction between it and the security team. What's the right result regime for handling cyber security? In your view? In other words, well, how should be structured? Whose responsibility is it? What responsibilities do they have? Well, I think the >> most traditional organisational model that I've found makes sense is the chief information security officer and his or her entire organization reports up into either the CEO are sometimes general counsel. Sometimes an audit lied so that that piece really doesn't matter as much as the CSO and the CEO having a very strong relationship because what typically happens is the security team will have operational responsibility for all the investigations. When something goes bad, there's some some sort of incident. But then, when the change needs to be made, even something like a firewall is often run by teams, not by security team. So once you make that recommendation, you're actually interacting with it. And this is where having things like agreed upon fellas in advance so that it and security know what to expect from one another really helps, >> has a has a failure equals fire mentality of created somewhat of a lack of transparency over the years and your view >> say more about that. I'm not >> sure I understand the question. If I'm responsible for security and I fail like very well could get fired. Does that lead organizations to the less transparent about the threat, or even sandbag the threat or obvious Kate the threat? >> Sure, I mean, I haven't I haven't heard many stories directly about that from from certainly anybody that I've talked to directly. It feels to me more like they're just struggling to figure out a way to make things better, right? I think. You know, organizations genuinely are passionate around solving this problem, and they, frankly just struggled to figure out the right balance of investment in people. Investment in technology. And you know it. Let's keep in mind, right? We're not that far into this journey, right? Only fifteen years ago, we all thought perhaps the firewall was good enough, and we just needed something protecting us from the big, bad Internet. And of course, the evolution over the last last decade has just been more and more threats and more and more technology, which feels like a treadmill. We need to somehow get off. >> But to continue on that thought, so is recent is four. Five years ago I heard you know, cos stand up or individuals that company stand up and say We've never been hacked red. So do you agree? There's a recognition that it's not if it's when we've been hacked and that level of communication is becoming more training transparent at the board level? Is that fair promise? >> I do think that's fair. I think you know, the evolution that I've seen has been, you know, we are, we are impenetrable, right? There was a brief moment where some people thought they could actually achieve that. Then there was the second phase, which was Yeah, well, we get attacked from time to time, but we have a great response process. But now I think we're in the third phase, which I think is the most honest phase, which is large organizations are operating under an assumption of persistent compromise, so they're assuming somewhere in their environment they have already been compromised. And so that's what really makes the response piece such an increasing focus for chief information officers and chief information security. >> Yeah, and I think you guys nailed it because your value proposition is all about the response, Is it not? It >> is. It's about taking the teams you have and making them more efficient, making them more effective. And, you know, we've been in the security industry paying, you know, candidly, lip service to the notion of making teams more effective and the importance of individuals in the process. But always in the service of selling you some magical technology that's going Teo, make this problem supposedly go away, we finally realised, I think, as a community that we have to make these teams more efficient, we have to make them more effective. And our security operations product from service now is really focused on really operationalized and modernizing the security operation Center in the same way service now did to the knock years ago. >> Because you've got kind of a natural conflict, which what you want, where the security folks are kind of keeping an eye on the folks. So there's a little bit of separation of church and state at the same time, it's the execution vehicle to put up no better security and or take care of incidents and responses. So I would imagine that's kind of a delicate balance. And, as you said, helping those teams work better together while still kind of keeping an eye on each other. Interesting conflict. Well, >> I think if you if you look at the evolution of the security industry as a whole, it's been security company is selling security technology to security buyers, and that has been the sort of you know, to use Frank's term, the rinse and repeat model of security for some time, and that certainly has its place. We're going continue to evolve our detection and enforcement technology. But, you know, it's really a realization that the's security ninety teams need to be able to work together. And so having a common platform where the security team can have their own protected data storage their own protected processes but have a direct integration to it without having to have either side feel like they're dealing with the other organization as a almost like a black box where they don't have visibility into how the process is run once it's out of their hands. >> So I'm gonna test another premises we've got a security expert on. So I'd love to test my my, my my assumptions, uh, you buy the following that the difficulty in valuing data and I pop and assets makes it hard for companies to appropriately secure those those assets. >> Yeah, sure. So I think organizations have have people to protect. They have data to protect. They have assets and information to protect, and then they also have another component of this which is interesting is the compliance requirements, right? So oftentimes they'll actually be tension between the Risk and Compliance Organization and the security organization as they decide for example, which vulnerabilities they want to address, You know, some some compliance requirements might have a limit. Say, you know, you have only a thirty day grace period before a vulnerability needs to be fixed. So even if it's a low priority vulnerability, you might have, ah, that be hiring the queue than something more critical. That actually will impact the security of the organization >> because it's just a century kind of risk. Medicate security is risk mitigation, as opposed to security as a bigger, bigger, badder moat. With that, ask your alligator and trying to think of how much he spent. How do you allocate those resources when asked methodically, You're never going to get to one hundred percent. But how people kind of making those tradeoff decisions to figure how much is the right amount? Because it's never enough, I would imagine. But you know, how do you kind of balance? What is the right amount? How do you allocate? The resource is between the less critical, but maybe the regulatory compliance versus the more critical, which is, you know, as biggest, bigger implications on the business or it's a special class of data. Sure, life. I think >> the broader organization has struggled to understand that investment level because there's traditionally been kind of, ah, almost an insurance like mindset to buying security. It's like, Well, you know, we have to prepare for this but potential attack. But now back to my earlier point that people realize they're they're constantly in a state of compromise. It's a little bit easier to make the investment. But what has been lacking is the visibility into the posture of your organization as a whole. So you you have in the past fallen back on statistics like the number of alerts your system generates, which really says more about how well or poorly your system is tuned, as opposed to how effective your security practices are. So when you look to invest now, I think with the security operations capability, you can start to see you know, what was my incident count last quarter. What is it this quarter? How many of them are false positives? You know, show me as the chief information officer, the critical business services that I have tying into the data, as we talked about earlier, and then show me the vulnerabilities attached to those most critical services I guarantee you get in front of a board and you show, you know, these are the vulnerabilities that I have against this infrastructure, and I do not have the resources to fix them. That's a very short conversation >> because you say they start writing checks, Um, brings me to my next question, which is? The CEO comes to Mrs Shawn. I got a present to the board. I gotta develop a communications plan for the board. What are the two or three most important things I should have on my checklist in that communications plan to build that communications plan? Well, I >> think the first peace, which again I think is the missing piece we just talked about is some sort of relationship between the investments you're making and the risk to the specific services that are most important to the organization. Right. So if you can provide some metrics and say OK, you know, this is my exposure on these services that the entire business depends on that feels like the start to a fantastic conversation with board. Where is coming in and saying, you know, last month we had a thousand alerts or we had, you know, fifty thousand vulnerabilities like that's that's not meaningful to a board of directors, so you have to be able to get more specific on what matters most. And then I think following off of that would be able to talk about the staff investments you're making and the effectiveness of that investment. So you can actually say All right, we have, ah, security operations team of ten or fifteen would have you. And here's how they break down in terms of what they're doing. And here's how AH, headcount put into that system affects the following results on the other end in terms of ah, shorter time to respond to shorter time to identify. >> Do you feel as though organizations are, well, first of all should? And are they treating security as a component of their business continuity plans? Should they and do they it feels like >> they are. It feels like, you know, when you talk about robustness and availability, and a lot of those terms carry over very easily between sort of the d r world, the security world, business continuity as a whole. So I think that's changed. I think I think we're on the right great course there. >> In the financial analyst meeting, you shared some data and we've talked enough. Came about some of the data we've seen a couple hundred days. When an organization gets infiltrated toe actually detect that intrusion. Is that a metric? Now, who knows? You know what the real number is, but on average, but it's a long time. Is that a metric that we can track? It sounds like we can and conservative now help compress that time. Two. Detection we can. And the >> way we do that is by taking that original problem statement I articulated at the beginning around these silence of information and connecting them not only to one another, but to it and the broader enterprise. So suddenly, what is a manual process to track down the business owners? Something very simple. Tell me, who owns this particular I P address that's being attacked right now and tell me this service that that I p address is supporting, you know, is this my you know, summer company picnic planning website, or is this my financial reporting infrastructure? Those two would result in obviously very different responses. >> So it's early days you guys just announced I think Tessa, right? We didn't know. And so how's it going? What's the Inter spend? Obviously big show for you, I said. We've been talking about security all week. We think is just one of most exciting things that we've seen from service Now on DH. There's a lot of them. Put that right at the top. What's the feedback been? What's the momentum like? I think the >> momentum is strong. We announced for customers and queue for another eleven. And Kyu Wan So getting good growth, lot of global two thousand interest. So it tends to be the larger end of commercial on larger enterprise that has the most to gain from from a solution like this and, you know, just on a more personal level. And I've been doing security for a long time long enough that I don't consider myself an expert because I realized just how much we've struggled as an organization ondas a community. But being able to see a shift towards people towards process towards being able to make a team more effective given the information they need, given the relationships with that can allow them to be more effective in their response, you know this feels this feels like a new category of security technology and one that really leverages service now is expertise in workflow, orchestration, automation, single system of engagement And these air not, ah, security problems, these air enterprise problems. So we're taking that expertise and applying it to the security buyer. >> Excellent. Sean Connery. Thanks so much for coming in the Cube. And And good luck with solving this hard problem. Thank you. Alright, Keep right there, buddy. But back with our next guest right after this. This is a cube, er live from knowledge sixteen in Vegas, right back.