>> Announcer: Live from Las Vegas. It's theCube. Covering IBM Think 2018. Brought to you by IBM. >> We're back, IBM Think 2018. This is theCube, the leader in live tech coverage. My name is Dave Vellante and I'm here with my co-host, Peter Burris. We're talking all things cloud, AI, blockchain, quantum, information management, information architectures. And we're here going to talk about resiliency. Business resiliency. Pat Corcoran is the IBM business resiliency global strategy executive. Doctor Larry Ponemon Is here, he's the head of the Ponemon Institute. Gentlemen, welcome to theCube. >> Thank you. >> Thank you very much. >> Alright Pat, set it up for us. What's going on here, at Think generally and then specifically, talk about business resiliency and what it means. >> Well for I think at Think this year, resiliency, we're teamed up with security. Because a lot of synergy when you look at resiliency where you want to be adaptable, flexible, companies want to be able to adjust to situations quickly. The environment's changed, where in the past when you looked at recovery and resiliency, people thought about natural disasters but now, this past year, it's been on longer, but the past year we've all seen a lot of major cyber-events. So now resiliency has taken on a different view. Different approach. Because it's not just the risk of a hardware problem, or a site going down. Now we got to address risk from a cyber and it's a totally different risk. So at this conference, we've teamed up with security at IBM to try to present an integrated package, integrated approach, and we're also working with Larry, sharing some results from a study from last year, about the cost of data breach, and the importance of business continuity, to cyberattacks. Because most people today, they're not ready. They might look at protect, they might look at detect, but they're not, they don't know how to recover from a cyber and that's what we're addressing here today. >> So Larry, we're going to get into the study but what's the Ponemon Institute? Why did you start it almost 20 years ago? Give us the background there. >> So the Ponemon Institute is a research company and we're linearly focused on cybersecurity, data protection, privacy, and other related topics. The reason why we started the institute, my background is varied intelligence and security over a very long period of time. I hate to admit it, but over 45 years of experience. And the bottom line is we saw a real need for information. The decision-makers needed to know, what are the really significant issues in privacy or information security, that could affect their organizations. And we're very lucky, we chose an industry that was interesting and profitable, and every day there's a new issue. So you never run out of research ideas. >> Amazing, I mean the last 12 months has been, it seems like this is a game of escalation >> Larry: Oh, it's crazy. >> You put on the TV and see NBC and all of a sudden there's you know every board of directors from a credit bureau on there, big words, "breach" across the bottom. >> Data breach. That's just a nightmare, right. But every day, there's something in the news. And to your point, Pat. It just seems to be getting more and more costly to businesses. >> It is more costly, and I think now when you look at annual reports, when I go visit a customer I like to read their annual reports, and the CEO or the CFO put down what risk are they concerned about. Almost every annual report now has cyberattacks in there. Because they have to, they have to be aware of it. And it's gotten so bad now. But like you said, the challenge is, a hacker only has to be successful once. Companies have to be successful hundreds, thousands, millions of times. Stopping these people from getting in and that's what we're trying to help them stop. >> Black hats is a growth business. >> Well it's a game for them. It is a game and they're good at it but we have to be better and that's the hard challenge. >> But virtually every company has been breached. It's like, the NBA I don't think any team has ever gone undefeated in the NBA. Despite your hope for the Warriors. (laughing) It just can't be done. So Larry, let's get into the study. You've done this for a number of years. >> Oh yeah. >> Dave: You've seen the patterns. What do we need to know? >> Yeah we know that the cost of a data breach is very significant. You know, you basically talk to CEOS and board members and you say, "What's the cost of a data breach?" And you get that glazey-eyed like, "How do we know?" But we've been trying to benchmark and figure out what that true cost is. And it could be millions, tens of millions of dollars your organization, just recovering from the major data breach. Let alone lose customer trust, and along there are huge long-term consequences. Across the data breach study, sponsored by IBM, we've done this analysis globally, and now we do it in 13 countries, and this current year it's going to be 15 countries, we're adding two new countries. And the issues, even though there are cultural differences and geolocation differences, companies are companies and all companies around the world are dealing with this phenomenon. And as Pat said, bad guys are getting worse, or better if you're on the side of evil, and their ability to get data and use data against organizations creates a huge challenge for organizations. And that's where actually you need IBM. You need the right technology, you need the right tools, the right personnel, to get the job done right. >> So I mean at the simplest level, the cost of a breach seems like it would be a function of the probability of that breach times its impact. And so, what are you seeing in terms of those variables? Are breaches happening more often, is the business impact greater, are they both sort of proportional? What's the relationship? >> The cost is climbing, globally. What we find is that organizations are ill-prepared to deal with these problems. We also know that a lot of organizations don't have the internal talent, the people they need to be able to identify and respond to these problems quickly. Our findings show that organizations that are using leading-edge technologies, and involve their BCMs, their business continuity people, are much more likely to have a successful outcome. But it's a mess right now honestly and there isn't an organization out there that isn't subject to a major data breach. >> Pat, when you talk to clients, to Larry's point, you ask them do you know what the cost of a breach is? The vast majority presumably don't. Do you help them sort of quantify that? Look at the business impact? >> We can. And that's a great point. They don't know. And they haven't looked at it. One of the challenges is, in many cases the security arm, the recovery arm and the continuity arm, more people, they're all fragmented. They're run by different groups within the company. So we want to work with companies to bring them together and so we can do an impact, business impact analysis, and look at what types of risk are you most concerned about. How vulnerable are you to those risks? And what would be the impacts? Tangible and intangible. Towards your brand. You look at some of the names that have been in the papers. You're in the paper and you're there for day after day because you're down for weeks. Your brand is being impacted. So that's an intangible cost, but is a significant cost. So we do help you with an assessment. >> So Larry, Dave mentioned that you've done this for multiple years. Last years' studies show that the improvements on time to identify and time to contain, was about 5% over what had been the previous year. Still not great, but it's getting better. Are we seeing this kind of five percent per year slog? And what do we need to do to start accelerating the rate of improvement? >> Right, so the word slog is appropriate. It's a slow-moving train and you get organizations to make a small improvement and that leads to, in the long term, really good outcomes. But unfortunately, it could go the other way. The bad guys are getting very talented and so they'll see opportunities, windows to exploit organizations and they want to hide their, they don't want the world to know that they've committed a crime. So the time to identify and time to contain may kind of move in the opposite direction. But in general we are seeing small improvement. One way that organizations are improving is they're involving other experts, other teams, so it's no longer just an IT security problem, Or a compliance issue, it's more than that. As Pat mentioned, it's a brand issue and bringing other people to the process is greater and greater visions. >> Allow me to repeat that this is people too. Because this isn't an IT issue, this is a business issue. >> Well, we've done some work on this and thinking, but what's the right regime for cybersecurity? It's not just the SISO problem or an IT problem but what percent, well first of all, first question. What percent of organizations, and I'm not just talking about large organizations, think about your client base, what percent actually look at cyber as a board-level issue. Obviously RBC Today, Verizon, yes it's a board-level for those high-profile companies but across the board, is it 100%? >> Pat: Not even close. >> You just did a recent study I think, that looked at that right? >> Yeah we basically saw board-level involvement, you know do you view something as strategic or simply tactical? It's about 39% on the side of, yeah we do, and then the remainder they do not. And that's an inflated number, because when you ask people on a survey they have a halo effect. You're more likely to say, oh sure we do that. Sure we get our board and CEOs involved. It's again that slog word. It's a slow-moving train but we're seeing more and more boards getting involved. Also it helps that some of the new regulations that are coming down the pipe. There's a new regulation in New York State that requires the boards of directors to sign off if they have had conversations with SISO and they've identified the appropriate risk issues. So it's definitely moving in the right direction but it's slow. >> So I had a conversation with a Chief Privacy Officer client, a couple of months ago. And she told me that they'd calculated what would have happened with the Equifax breach, if it had been subject to the fines that are going to go into effect over in Europe. And she said that Equifax would have been hit with $160 billion, with a B, dollar fine. >> Larry: Wow. >> Is that the type of exposure that we're really talking about here for companies that are not doing a good job of, especially given some of the new regulations on the rise. >> Oh absolutely, you know just today there was this issue with Facebook, you probably were following that issue, where Facebook-- >> Oh really, who's Facebook? >> I don't know, they're a small social media company. But basically they released information profiles, detailed profiles, on individuals, and I think it was like 25 million, something towards that range. If the GDPR was in effect, and it involved European citizens, they would put them out of business. There would be no way they could operate in Europe. It would be hundreds of billions of dollars. So it could be devastating, and compliance is on the move, there's no question that Europe is going to be very tough on US companies that are not complying with their law. >> One of the things that Peter and I learned when we started talking to SISOs and boards of directors about this, was that part of the business resiliency strategy was response. That they sort of knew they were going to get hacked, they've been hacked, instead of telling the board no, we've got it all covered, they say listen, this has happened, it's going to happen again, way more transparent. We're going to focus not only on keeping the bad guys out, but How we can respond better. >> Contain it. >> Containment and response. In a more productive manner. How does that fit into your strategy? >> I'll say it's from a recovery. When you talk about respond it's recovery. And one I think you have to look at the company, you have to help the companies and they have to look across the total enterprise. I call it a domino factory. When you get hacked, or when when some risk impacts your business, it creates another risk. It's a domino effect and a lot of companies don't look at it that way. They look at why we get hacked, what does that mean? They have to sit down and really understand what it means to the business and what could happen after, what could it create? And there's a lot of unknowns there. We're gaining a lot more knowledge here, but you really have to sit down and look at it. So the executive committee team, at the board level, they have to be committed to this responses. From a resilience-recovery standpoint, they haven't looked at it as strong as they should of in the past, but I think this past year because executives are being held accountable, they're losing their jobs or going to jail, and so now they're coming out asking for our guidance. They're asking for help. And so the recovery piece, we're looking at new ways of trying to protect, find ways to protect your data. And when that data's protected, can we figure out is something changed? Like when a hacker gets in they make a change, they go in it through your configuration information, no one looked at that typically. So we're trying to find ways to monitor and track, detect these things when they happen, so that we can then figure out how far back you can go back in the data, because the data, was it corrupted today, yesterday, five months ago? It's not an easy solution but they've got to be committed, they've got to sit down we've got to work together to help them figure out the best approach. And there's not one answer. >> Larry I noticed you haven't thrown out the fear metric. You see this a lot, which is "The average cost "of a data breach is 2.56783 million per second." Or whatever it is. Now is that because you don't believe in that, and every situation is different, it depends on your market value, what type of data, et cetera, et cetera. Or is it because it's just too hard to actually quantify? I wonder if you could comment. >> We actually do, some of our research we attempt to quantify, we use activity-based cost data. I only told my friends this, but actually I'm a CPA and a PhD in Accounting, so I know accounting pretty well, and we used an accounting method to try to figure out what the total cost is. It's not a perfect measure, but it basically is fairly objective, and it's the best that exists. Not to sound egotistical, but I think we're the best in that narrow space of predicting cost. But it is difficult because it does depend on a lot of variables. And a lot of organizations don't necessarily understand all of the different ways that a bad event, a negative, a significant breach could affect the bottom line. But we talk to clients and organizations about it, we do board retreats, I was telling Pat, it seems pretty popular, the board wants to get a new-found religion, in privacy and security, after they experience a disaster and we work with them to try to educate them on these risk issues that Pat was referring to before. But it's an interesting time to be in this business. Lots of change. >> Well, in the context of data breaches, I mean, you've pointed this out a lot Peter, is people don't really have an understanding of the value of their data, there's no accepted accounting, there's no gap for data. >> One of the worst circumstances is there's a huge information asymmetry. The bad guys know how valuable your data is. You don't. >> It's the new currency. If you think about currency, data is a currency for people. For companies. An when you lose it, it's one of your most, after your people, your currency's your most critical asset. >> We say the difference between business and digital business is data. Otherwise they're the same thing. A digital business, organizes, treats its data as an asset. But it is a problem that the bad guys are willing to invest more money, more time, more innovation, into attacking because they seem to have a better understanding of what the real value of data is, than the good guys. And that's a problem. >> It's a huge problem. You know we see all of our trade secrets, for example, economic espionage is on the rise. The nation states, they're enjoying this, it's so easy for them to collect incredibly valuable information that we don't even know that it's out in the hands of countries. Not even competitors, worse than that. But if things, fortunately there's a lot of FUD, there's a lot of fear, uncertainty and doubt, but there are really great things going on, in theory of inventing new security controls. That's why I turn to IBM, they're where I go to deal with these issues. >> So if I can ask one last question. Larry, what do you need to do to get people to acknowledge and properly place the value of their data? Is there anything we can do, like in the next six months? >> Yeah I mean I think really the bottom line is, you need to get your senior executives to see this as a strategic, not just at tactical issue. And they could start immediately. I think doing a study for an organization, there's nothing we can do, but others can do this very well. To try to show the economic impact to an organization, especially one that's undergoing a digital transformation. That's, as you mentioned, that's where the value of an information asset, is just so incredibly high. And then you look at a company like a social media company, like a Facebook, and as you basically said, >> you should know. >> Yeah, you should know. So there are examples that you can turn to to show the value of the data asset. It's not protected very well, what are the consequences, downside consequences. >> Well we've got to wrap it up. We talked about sort of Facebook peripherally, but the weaponization of social media is becoming a huge, huge problem. It's certainly affected by most accounts last election, 2020 is going to be all about, Facebook is more influential than the UN. And even though we're here talking about business, everybody in business is on social media, or at least increasingly. And that's another way in. >> It is. >> Give you the last word. >> You know, as Larry said the data's critical, and I think it starts at the executive level, they have to understand the value. And we do this, I just presented about it, we talk about an assessment because, how do you get their attention? You don't want their attention once you get in the headlines, you want help demonstrating there's a value here. So using a study, and Larry did with us, using some assessments that tries to say, here's where you're mature and here's where you're not. For business and IT. To help people demonstrate the importance of this. And demonstrate the risk and vulnerabilities in it. I think that's what people have to, they have to raise, elevate that discussion and make people understand the real business impact. >> Alright, working through day two here IBM Think 2017, you're watching theCube. Dave Vellante for Peter Burris. Check out siliconangle.com for all the news, thecube.net is where you find these videos and wikibon.com for the research. Pat and Larry, thanks very much for coming on. >> Thank you. >> Alright keep it right there, we'll be right back with our next guest right after this short break. (bright music)

>> Announcer: Live from Las Vegas, it's theCUBE. Covering ServiceNow Knowledge 2018. Brought to you by ServiceNow. >> Welcome back to Las Vegas, everybody. This is theCUBE, the leader in live tech coverage and we're here at Knowledge18. This is our sixth CUBE at ServiceNow Knowledge. Jeff Frick is my co-host. Jeff when we started covering ServiceNow Knowledge I think it was under 4,000 people. >> The Aria. >> At The Aria, it was a very hip conference, but now we're talking about 18,000 people at K18. How ironic. Sean Convrey is here. He's the Vice President and General Manager of the ServiceNow Security Business Unit. Welcome back to theCUBE, it's good to see you again, Sean. >> It's great to be back. >> So you know I'm a huge fan of your security initiative because you focused what, in our opinion, is really the real problem which is response. You're going to get hacked, you're going to get penetrated. It takes almost a year to find out when somebody has infiltrated your organization, they're exfiltrating data. You guys are focused on that problem. So, really have a lot of hope for this business in terms of addressing some of those challenges. But, give us the update on the ServiceNow Security Business. >> Sure yeah, so the business is continuing to grow nicely. I think we released at the end of 2017 on our earnings report that security and the other emerging businesses met their aggressive sales targets from 2017. So, we're seeing, you know we're into the hundreds of customers stage now. We've got very mature customers that are deployed in production. I think almost 40% of our customer base is Global 2000 so that's one of the benefits of being on the ServiceNow platform is, we aren't perceived as a 1.0 or a 2.0, even though we've only been around for two years, you know people are thinking of us as an application on top of an already very stable platform. >> One of the things we talk about a lot, you and I have talked about is, what's the right regime for security? All to often it's the sec-ops problem, or it's an I.T. problem. You know, we preach that it's a team sport, it's everybody's problem, but when you extend into an organization from whatever ITSM, or whatever it is, to whom to you sell? Who are your constituents? Are they figuring out that right regime? Or is it really still the sec-ops team? >> Yeah, so there's two major use cases in the security operations product. One is focused on security incident response, and that we're definitely selling primarily to the SOC, to the security operations center. But, we have another growing use case on vulnerability response, which is more the proactive side where we're addressing, really just security good hygiene. How do you reduce the attack surface area in your environment by having less vulnerable software in your environment, and that has a very tight tie to I.T. Actually, they both have very tight ties to I.T. Because in almost all cases, I.T. and I.T. operations are the actual execution arm of whatever changes you need to make to your infrastructure in response to something bad happening. >> Right, it's funny because we were at RSA this year, we've gone for a couple years. 40,000 people, that's a crazy big conference, but a couple of really interesting things that came out this year. One is that, you're going to get penetrated, right, so just a whole change of attitude in terms of not necessarily assuming you won't be, but how are you going to react when you are? How are you going to find out? And the other thing that comes up time and time again when you hear about breaches is this hygiene issue. It's, somebody forgot to hit a switch, forgot to do a correct setting, forgot to do a patch, all these really kind of fundamental things that you need to do at a baseline to at least give you a chance to be able to put up a defense against these people. >> We actually just did a study with Ponemon Institute of nearly 3,000 security professionals focused in on this hygiene problem, on vulnerability response, and some of the stats are just staggering. 70% of respondents said security and I.T. don't have the same visibility into applications and systems. 55% said they spend more time coordinating a response among teams manually than they actually do in the act of patching itself. People are losing 12 days per update in manual coordination, because think about it, you've got not just I.T. and security, but you've got GRC team, you've got the business owner, you've got the application owner, it's not just two folks sitting down at the table, it's a huge team looking at a multi-hundred thousand long spreadsheet of vulnerabilities that they're trying to respond to. >> It's funny, we talk often, it's an often quoted stat, how many days have you been penetrated before you figure it out, but what's less talked about is what you just talked about, is once you find out, then what's the delay where you can start taking proactive action and start taking care of all of these things. That's just as complicated, if not more. >> That's what the study actually bore out. So, one of the things we did was, we broke the data up into those that had been breached and those that had not been breached, and it was about 50/50. But, the biggest difference between the ones that had had a breach in the last two years and the ones that didn't, is the ones that had not been breached self-reported they're vulnerability response program as 40% more effective than those that were breached. So, this hygiene thing this is just fundamental. Actually, my personal theory is, it's not as exciting and undertaking. It's much more fun to talk about how Thor'd the bad guy that was knocking at your front door, trying to find a way in. The sort of proactive, you know execution of a strategy to reduce your attack surface area is much less sexy. >> So, we've always talked about that magic number, or scary number, of the number of days that it takes a company to realize they've been penetrated. Whatever, it ranges from 225, I've seen them higher than 300 and it's a couple years in now, and I'm curious as to what kind of data you have within your customer base. Have you been able to compress that time, and as Jeff points out, even more importantly, have you been able to compress the response time? >> So there's two stats I'll give you. One is, for many organizations they had zero reporting within their own organization. So if they were trying to report out, they were in the land of spreadsheets and emails, so they couldn't tell you how big an impact it had. We actually commissioned a study with Forrester. They did a total economic impact, a TEI study, with our sec-ops customers and found out that the average reduction in their incident response time was 45% improvement, or 45% reduction in their response time, which is just dramatic. That's very meaningful to an organization, especially when there's a prediction of an almost two million cyber-security job shortfall in 2019. So there simply aren't the people to solve this problem, even if you could hire your way out of this. >> So what you would expect is if you could reduce that response time, obviously you're freeing up resource, and then hopefully you could create some kind of flywheel effect, in terms of improving the situation. It's early, but what have you seen there? >> That's exactly what we're seeing. So we're seeing people take the things that are painful and frequent and trying to automate those tasks so that they don't occur as often and require people's time. The analogy that I always use is, if you've watched a medical drama, you always see the doctor racing down the hallway, holding up an X-ray to the fluorescent lights and making a call, telling the nurse five milliliters of this or 10 milliliters of that. >> Stat, stat, stat. >> It's always stat. >> Whatever that means. >> They're saving the day right? They're saving the day. That's what a security person wants to feel like. They want to feel like they're making that insightful call, in the moment, and saving the day, but instead, they're the doctor, they're the nurse, they're the orderly, they're the radiologist, they're the administrative people. They have to play all those roles, and what security automation is really about is, let's take those mundane tasks that you don't like anyway, and get rid of them so you can focus on what truly matters. >> It's such an important piece because like I said, RSA, there's 40,000 people, ton of, ton of vendors, and the CISO cannot buy all those solutions, right? And for you guys, to find a place to fit where you can have nice ROI because you just can't buy it all and to me it's kind of like insurance. At some point you just can't buy more insurance, you can just buy and replace whatever it is that you're insuring, so it's a real interesting kind of dilemma, but you have to be secure. You don't want to be in the Wall Street Journal next week. >> Right. >> Tough challenge. >> It's a very tough challenge and the notion that you can find a product to buy for every problem you have is something that the security community, if you go to RSA, it feels that way, right? Like, "Oh I just need to buy another thing." But, organizations have on average 80 security tools already. So, the challenge is how do you actually reframe and think about prioritization in a different way? So we're actually seeing our customers start to take advantage of the governance risk and compliance capability, that are also part of ServiceNow to use risk as a North Star for their security investments rather than just saying, "Oh this is the latest attack so I need to go buy a thing "that stops that attack." Saying instead, what are my most valuable assets? What is the financial impact of a breach to those services? How do I invest accordingly? >> I was watching a CUBE interview, I think it was from KubeCon, John Furry was doing an interview, and the gentleman he was interviewing said, "The problem with security is for years, organizations "thought they could just buy some piece of technology, "install it, and solve the problem." Couldn't be further from the truth, right? So, describe what you're seeing as to those who are successful and best practice as to solving the problem. >> Sure, well that thinking you can buy your way out of the problem goes all the way back to the early days of firewalls. I mean, I remember earlier in my career trying to convince people that a firewall by itself wasn't enough. So we're seeing in organizations that are adopting best practices around response, is they're taking a much more structured approach to how they respond to the most common attacks. Things like, suspected phishing email, right? Processing a phishing email that's reported by an employee, by a user, takes anywhere from 15 to 20 minutes to check manually to see if it really is phishing or not. You know, with ServiceNow Security Operations we can automate that down to seconds and allow that time for an analyst to go back to focusing on maybe a more advanced attack that does require more human ingenuity to be applied. >> Right, the other thing that keeps coming up time and time again within the ServiceNow application and the platform, is you like having lots of different data sources to pull from. You like being kind of that automated overflow and workflow to leverage those investments for the boxes that they do have in the systems and all those things. You want to use them, but how do you get the most value out of those investments as well? >> Exactly, we're seeing that most organizations don't feel that they're getting the value out of the assets that they've already invested in as well. So, to steal one of our CEO's lines, he talks about this idea of one plus one plus one equals magic. The idea that if you can bring together the right pieces of information you can create this transformational outcome and I think with security technology, if we can bring the data and the insights together on a common platform that allows you to investigate in a more automated way, to draw on the insights that you need from the various systems, and then to respond in the right capacity at the right time, it's a completely different way of solving this problem that I think we are just beginning to explore. >> And a whole nother place to apply A.I. And machine learning down the road as well. So, you can start automating the responses at that tier, and a whole nother level of automation to get the crap that I don't need to pay attention to off my screen, so that I can focus on the stuff that's most important. >> Oh absolutely, I think the headroom in the response category of technology, we're just beginning to see what's going to be possible as we continue to go down this path. >> Can you talk about the ecosystem a little bit? Obviously it's critical. Just to be clear, ServiceNow it not trying to replace Palo Alto Networks, you know, or other security tools. You partner with those guys much in the same way as you're not trying to replace Workday and SAP and HR. Talk about that a little bit, the partner ecosystem, how that's growing and what role they play, where they leave off, and where you pick up. >> Absolutely. So, as you said, we're not in the business of building prevention technology, detection technology, we are all about taking the investments you've already made and bringing them together. So, we consider ourselves a neutral player in this market. We integrate with all sorts of different security technologies because again, the goal is, let's take all these insights that are already in the various pieces of infrastructure. You know, we had one of our customers onstage yesterday during our keynote describing swivel chair. This notion of, I'm swiveling from console to console to console and I'm burning time. If you can give me one place where I can bring that data together, it's really valuable. So, we're quite different than many other ServiceNow products in that, it's often not a human being that initiates the request. You know, a human says, "hey my laptop needs help," right? But, in security it's a third party tool that says, "Hey, go take a look at service X, we're seeing "some weird behavior there." >> So, staying on the ecosystem for a minute. You know, big space; security, crowded space. You were just at RSA. >> It was crazy. >> Crazy, tons of startups. When I talk to startups, in fact I was talking to one the other day, it's a phishing startup, guys out of the NSA doing some really interesting stuff. They got to place bets, small companies, and I'm like, "Have you seen what ServiceNow is doing? "It's kind of an interesting play. "You might be able to participate in "that ecosystem someway, somehow." Is it reasonable to think that startups actually can participate, how can they participate? Can they bring their innovation to you? Or are you really looking for established players with an installed base that you can draft off of? >> Sure, we're actually doing both right now. So, you can think about it, you know, being a new player in the security community, credibility is something we are always seeking to grow and develop over time. So, while we really like to integrate with the large, established security vendors that our customers expect us to integrate with, we also love talking to the innovative startups and integrating with them as well. So, we have a whole technology partner program that allows people to tie into the ecosystem. We have a whole business development team at my organization where we work actively with these companies to help them take best advantage of what integrating with ServiceNow can do. >> I think it's key. If you think about the innovation sandwich we often talk about, for years this industry has marched to the cadence of Moore's Law. It was doubling microprocessor speeds every two years that drove innovation. That was nice, that got us a long way, but seems like innovation today is a combination of data, applying machine intelligence, and cloud, cloud economics. And part of cloud economics you get, scale economies, zero marginal costs at volume, but it's also the ability to attract startups. We see that as critical for innovation. Do you agree? >> Yeah, absolutely. I think that the innovation we are seeing in the security world overall, I think is going to continue to grow, as you saw at RSA, there is always another several hundred vendors it seems like, that are out there. And I think we have, as an industry, toyed with the idea of a suite or consolidation. It's always been, next year is going to be this massive consolidation and it's never seemed to really happen and what I'm thinking is this notion of something like what security operations can do from ServiceNow, where you're sort of making a suite by building an abstractional error that integrates all the technology. So you get the benefits of a suite, while still being able to go best of breed with the individual technologies that you want. >> Yeah, consolidation of technologies and becoming safer every year. Those are two things that haven't happened. Hopefully Sean's ServiceNow can help us with that problem. Put a bow on Knowledge18. What's the takeaway? >> The takeaway for us is that security automation and security orchestration is now here, right? Two years ago, the conversation was "What is ServiceNow doing in security?" Now my conversations with customers are, "I understand, I'm looking at this market overall. "I see the value that it can provide to me." We've got customers on stage, we've got customers leading sessions that are talking about their own transformational experience. So I think the technology is here. Gardner has labeled this category: security orchestration, automation, and response. Which is big for the industry overall. So I think it's here now, and I think we've got a great capability tying into a common platform and of course tightly tying to I.T., where many of our 4,000 customers already are using ServiceNow. >> Who's your favorite superhero? >> Wolverine, no doubt. >> John: Alright, you know why I'm asking. (laughing) >> I don't know why you're asking. >> Oh come on, you're the one that told me that all security guys, when they're little kids, they dreamed about saving the world, so you've got to have a favorite superhero. >> Well, Wolverine's a pretty dark guy, I don't know that that works very well. >> Sells more movies. (laughing) Sean, thanks very much for coming on theCUBE. >> Thanks so much. >> Alright, keep it right there everybody. We'll be back with our next guest right after this short break. You're watching theCUBE live from ServiceNow Knowledge18. (upbeat music)

>> Announcer: Live from Las Vegas it's theCUBE covering Veritas Vision 2017. Brought to you by Veritas. (upbeat techno music) >> Everybody this is theCUBE, the leader in live tech coverage. And we're here covering Veritas Vision. The hashtag is Vtas, v-t-a-s vision. Little bit of a funny hashtag so make sure you get that one right if you want to follow all of the action. I'm Dave Vellante with my co-host this week Stu Miniman. Michelle VanAmburg is here. She's the Director of Global Alliances for Veritas. And she's joined by Daniel Witteveen who is the Vice President of Global Portfolio Resiliency Services at IBM. Folks, thanks for coming on theCUBE. >> Thanks for having us. >> Thank you for having us. >> Michelle, let's start with you. Alliances are a fundamental component of Veritas' strategy. You got to make friends with a lot of different people. What's your general philosophy around alliances? Let's start there. >> Yeah, well specially with IBM, we've had a long term alliance starting back in 2004, around backup and managed services. It's evolved into a very strategic alliance with IBM providing both internal IT support to migrate our key applications into their Bluemix and IBM cloud infrastructure. And then also, evolving the managed service around backup strategically moving into the cloud. We announced something in March to work on backup in the cloud with IBM as part of their Bluemix services. So, each and every partner in alliances has specific strengths and weaknesses. And I think with IBM we're maximizing our partnership around their strengths and that's the services and their play in the enterprise market. We both have about 86% overlap among those customers. >> So, I mean, this is interesting, Daniel, I mean IBM big technology company, huge product portfolio, some of the products competitive with Veritas, but you're part of the services organization so you've got to have the customer's interest first. You guys are sort of technology agnostic generally as a services professional. So, what's your philosophy with regard, maybe I just laid it out, but with regards specifically to data protection and back up? >> So, you said exactly right. We measure ourselves against the business outcomes for our clients. And that truly is vendor agnostic. But when you take a partnership like Veritas, and if you saw the keynotes this morning, they were talking about the leader in the Magic Quadrant for the last several years. IBM's also been the leader in resiliency and in security. So, that's an unparalleled partnership that you can't get from anywhere else. You've got a services firm that can take their software, provide a high-valued outcome to their clients, our clients or mutual clients, and provide it in the cloud. And that could be our cloud, that could be another provider's cloud. Very significant for our clients. >> So, every time we go to these shows you hear about digital transformation. And it's an important topic but sometimes putting meat on the bones is hard. So, let's try to do that. I presume you're hearing this same thing from your joint customers. We got to become a digital business. You hear that from the top. So, what does that mean to your customers? What does it mean to become a digital business? >> So, for me I think a lot of people say that in the context of a one time event. We have to go through digital transformation. >> Voilà! >> Yeah, or suddenly, "Whoo-hoo! We're there!" (laughter) And that's a big, wide definition of what that could mean. I think it's continual transformation. It's innovation. That's a buzz word to me that says, okay, yeah this creates the conversation that's a door opener. But we really have to talk about evolving transformation, cognitive learning, using IBM Watson, always making us better. It's not laying out here's what we're doing and walk away. It has to be continual. >> Can you add anything to that, Michelle? What are your thoughts on digital? We think digital means data. >> Michelle: Mmm-hmm. >> You guys, all we heard this morning is how you're the sort of center of the data universe. What are you hearing from customers on digital? >> Well, I think we're all, including us, Veritas internally struggling with the same thing, right? How do you get there? How do you save cost over time? And how do you keep your business running with all the governance and compliance regulations that are coming down, like GDPR? So, there are a lot of challenges coming out of a lot of these organizations. And I think it takes not only somebody that's the leader in technology, like Veritas, but then it takes somebody who's the system integrator who is monitoring the outcomes for their customers over time. If you look at all the large accounts that IBM manages, we have a huge play for Veritas technology and use of those products in those accounts. So, I think it takes more than just a point, product, or a point in time like Daniel mentioned. It really takes an evolution over time, and a solid plan that can be, again, flexible as GDPR regulations come down the pike. How do we move with the times? How do we manage those outcomes for our customers to be cost effective so that we can keep their business and grow it too. >> Daniel, did you want to comment on that one? >> Yeah, I mean, we mentioned GDPR which I think is kind of the biggest event. It's going to be the Y2K of 2018, right? It's massively significant. But if you throw that under the compliance bucket, we really think about what does that mean for our clients and protecting our clients with those compliance requirements. When you look at IBM and Veritas, our partnership has extensively talked about, Bill Coleman was talking this morning about meeting with the two largest banks. IBM covers 75% of the top 35 banks. We get regulation. That's our job. Customers look for us to lead that example. We have 80% of the Fortune 100 across multiple industries. So, when you combine these technologies together, you combine that regulation overlay, which we have to know not just for one customer but across all of our customers. It's really unmatched. >> So, in addition to kind of the governance piece, what about security? It's been something in my whole career. Used to get a lot of lip service. Today, it's board level discussion. Everybody's handling it. Resiliency services have to believe covers that as well as kind of traditional BCDR type activity. >> Yeah, we define that under cyber resiliency. And that is really going from everything from direct protection all the way to outage to recovery. And I think a lot of customers are struggling with that. We did a study with Ponemon Institute back in May, and 68 of their respondents said they lacked actually reliable foundational way to recover against a cyber attack. And when you really think about it everyone's been in the news over the last several months. You have to respond to that very differently than a hurricane outage or what people think of a disaster recovery which I struggle with that name because it's really any kind of outage. So, cyber resiliency is key. In fact, we have a session tomorrow at 12:30 specifically, talking about our combined approach against cyber resiliency starting from threat protection deterrence. But more importantly when the outage occurs how do you make sure you're actively responding? You're not out for hours, days, and months. You're really, truly out for minutes. >> Michelle, anything around ransomware, the cyber resiliency piece? How does Veritas look at partnering with companies like IBM for these solutions? >> Since we've broken off from Symantec, and we had a lot of security and data protection that was combined, we really look for our partners, like IBM, to to provide a lot of that security specific services around our product. So, one of the things that Daniel had developed, is the cyber resilience offer that we are looking to our joint customers to provide specifically a short engagement around that to help them. So, really, we are starting to look to our partners to offer that security service. >> So, I'm a little bit of an industry historian, mainly cause I'm old. (Michelle laughs) And so, when I look back 1983 when Veritas got started, and we heard today that Veritas has been a leader in the Magic Quadrant for 15 years. So, you had the the PC era, which changed backup when the pendulum swung from mainframe mini to PC. And then obviously clients server evolved that and then virtualization business change that. So, you saw backup evolve, and obviously Veritas stayed with that as a leader throughout. Now, we come to digital business and cloud. And when you think of digital business and cloud, I'm interested in the impacts that it's having on data protection. I think of distributed data, analytics, edge computing, the cloud itself. Whole different set of technologies and processes and skillsets to manage data protection. So, I wonder if you could bring that back to the customer. How are they re-architecting their businesses around, specifically, the data protection side of the business. >> So, I think the first, and we saw this with virtualization we saw it with storage area networks. And we saw it with cloud. The first instinct and the first sales point is well, then I don't need DR. I don't need backup. And it's kind of this false sense of or "I have an SLA, so I'm covered." Which an SLA is just a penalty. It doesn't mean you're covered at all, right? So, we've seen that at every kind of hurdle in our business. But then what we've seen, when you saw storage and virtualization is probably a perfect example, When it's more consolidated, your risk is a lot more condensed. So, before you could have one server outage. You might never have known. But now you have an entire virtual system SAN or even a cloud. We've seen that in the press just being out. It's much more significant. So, customers are taking a lot more serious look at how they're architecting those solutions, making sure their not reliant on one of those consolidated entities. Do I have my data in the cloud? Do I have a way to have that data out of the cloud? Can I run in this cloud, maybe that cloud, on-prem, hybrid IT? Hear that a lot from IBM. But how can I diversify? Which is a very different way of architecting solutions when you've just had client server. >> Stu: Right. Okay, anything you could add to that Michelle, just in terms of what customers are asking you? And specifically, how it might relate to some of your partnerships. >> Michelle: Yeah. >> Maybe, no offense, but broader even than IBM. >> Yeah, from a broader perspective we're seeing all the cloud providers in the market, and we're partnering with all of them at Veritas. Each one of them has their strength. And if you look across our partners, and I've been integral in some of our accounts. Some of them are doing things just as simple as snapshots. They don't have a way to index. They have a hard time recovering. Things like that. Our customers are really on that high end. So, as Daniel mentioned, we have a lot of overlap in the Fortune 1,000. And they are looking for ways to recover their data like they did on-prem but they're moving to the cloud. So, our solutions together, with IBM, are really those heavy-duty enterprise solutions that allow them to have the data recovery, same times RTO, RPO. And also, the disaster recovery programs and the security around those high-end applications that have all the compliance around them. So, from my point of view, IBM's a key partner in that space to allow those highly regulated customers to have the same type of data protection. >> So historically, you guys are in the insurance business. It's a great business, no question. And I always ask, is data an asset or a liability? And the answer is both. But if you had the value pie. Clearly, the pendulum is swinging and things are evolving. Is data still more of a liability in your world than it is an asset? >> Daniel: So, our CEO said it best, data is the new natural resource. So, data is the number one important thing within the customer environment. Without it you don't have intelligence. You don't have machine learning. You don't have predictive outage. You don't have sales force automation. All that is reliant on data. So, it's more critical. Where you could argue it becomes a liability is when you have to be compliant and you have to have that data for the next number of years. A lot of people like to promote backup success. Well, that's nice if you can back it up but can you restore it? Can you make that data active? So, that's where it can be treated as a liability but there's no way I would say it's a liability over an asset. It's absolutely the number one asset in a business. >> Stu: You would Agree, I presume? >> Yeah, I would agree. And we always use the iceberg analogy. The data that you really need is just at the tip of the iceberg above the water. And then you have all this data hidden under the water. How do you make that secure, and understand what you have? And so, I think the analytics, and some of the data protection, and the tiering, the understanding what you readily need available versus what can be archived and stored in the lower cost tier is really important. >> So, where do you guys want to take this relationship? When you sit down ... Give us a little inside baseball here. Where do you see this going over the next 18 to 24 months? >> Daniel: It's only going to be stronger. A lot of conversations in the works about doing a lot more strategic relationships together. I'll leave it as that. We've been very healthy partners for over 11 years, you mentioned 2004 timeframe, I think. We have folks on my development team that are a integral part of Veritas' product offering. Very important to the feedback loop. And vice versa the managed service. So, I think that's going to get tighter. I think that's going to expand just beyond backup. And I'm really looking forward to those possibilities. >> Yep. >> Michelle? So, I'm really excited about our cloud partnership that we announced in March. I see IBM as a key to allowing Veritas to leap into that market, and to provide the enterprise strength solutions. And just really excited about our future. >> Stu: Great. All right, well thank you very much. Good luck with your partnership. >> Michelle: Thank you. >> Daniel: Excellent. >> All right, keep it right there, everybody. We'll be back with our next guest. We're live at Veritas Vision 2017 in Las Vegas. This is theCUBE. Be right back. >> Daniel: Excellent >> Michelle: Awesome, guys. (upbeat techno music)

>> Announcer: Live from Orlando, Florida, it's the Cube. Covering Servicenow, Knowledge 17. Brought to you by Servicenow. >> Welcome back to Orlando everybody this is the Cube the leader in live tech coverage, we go out to the events, we extract the signal from the noise, and we are here for our fifth year at Knowledge this is Knowledge 17, Sean Convery's here he's the general manager of the security business unit at Servicenow, an area that I'm very excited about Shawn. Welcome back to the Cube, it's good to see you again. >> It's great to be here, thanks for having me. >> So let's see you guys launched last year at RSA we talked in depth at Servicenow Knowledge about what you guys were doing. You quoted a stat the other day which I thought was pretty substantial at the financial analyst meeting, 1.1 million job shortfall in cyber. That is huge. That's the problem that you're trying to address. >> Well it's unbelievable, I was- you know we were just doing the keynote earlier this morning and I was recounting, most people in security get in it because they have some, you know desire to save the world right? To to- they watched a movie, they read a book, they're really excited and motivated to come in- >> What's was yours, was it comic book, was it- >> It was, uh, War Games with Matthew Broderick, I was 10 years old which totally dates me, movie came out in '83 so nobody has to look it up. (laughing) And you know I was just, you know blown away by this idea of using technology and being able to change things and the trouble is analysts show up to work and they don't have that experience, and nobody's expected, but they're not even close right? They wind up being told okay here's all this potential phishing email, we'd like you to spend 20 minutes on each one trying to figure out if it actually is phishing. And there's 600 messages. So tell me when you're done and I'll give you the next 600 messages. And so it's not motivating >> Not as sexy as War Games. >> It's not as sexy as War Games exactly. And then the CICO's say, well I can't even afford the people who are well trained. So I hire people right out of school, it takes me six months to train them, they're productive for six months, and then they leave for double their salary. So you wind up with a, sort of a 50 percent productivity rate out of you new hires, and it's just, it's just a recipe for for the past right? You know, we need to think more about how we, how we change things. >> So let's sort of remind our audience in terms of security, you're not building firewalls, you're not, you know competing with a lot of the brand name securities like MacAfee or FireEye, or Palo Alto networks, you're complementing them. Talk about where you fit in the security ecosystem. >> Sure. So if you boil down the entire security market, you can really think about protection and detection as the main two areas, so protection think of a firewall, an antivirus, something that stops something bad, and think of detection as uh, I'm going to flag potentially bad things that I think are bad but I'm not to certain that I want to absolutely stop them. And so what that does is it creates a queue of behavior that needs to be analyzed today by humans, right? So this is where the entire SIM market and everything else was created to aggregate all those alerts. So once you've got the alerts, you know awesome, but you've got to sort of walk thought them and process them. So what Servicenow has focused on is the response category. And visualization, aggregation is nice, but will be much better is to provide folks the mechanism to actually respond to what's happening. Both from a vulnerability standpoint, and from an incidence standpoint. And this is really where Servicenow's expertise shines because we know workflow, we know automation, we know about system of action, right? So that's our pedigree and IT frankly is several years ahead of where the security industry is right now until we can leverage that body of expertise not just with Servicenow, but with now all of our partners to help accelerate the transformation for security team. >> So I got to cut right to the chase. So last year we talked about- and of course every time we get a briefing for instance from a security vendor, where- we're given a stat that is on average it takes 200 sometimes you've seen as high as 300 but let's say 200 days to detect an incident then the answer is so buy our prevention, or our detection solution. >> Yeah. >> I asked you last year and I tweeted out, you know a couple days ago is, has Servicenow affected that? Can you affect- I asked you last year, can you affect that, can you compress that timeframe, you said "we think so." Um what kind of progress have you made? >> Sure so you have to remember about that 200 day stat that that is a industry average across all incidents right? So the Ponemon institute pulls this data together once a year, they survey over 300 companies, and they found that I think it's 206 days is the average right now. And so to identify an- a breach, and then another 75 days to contain it. So together it's nine months, which is a frighteningly long period of time. And so what we wanted to do is measure across all of our productions security operations customers what is their average time to identify and time to contain. So it turns out, it's so small we have to convert it to hours. It's 29 hours to identify, 33 hours to contain, which actually is a 160x improvement in identification, and a 50x improvement in containment. And so we're really excited about that. But you know, frankly, I'm not satisfied. You know, I'm still measuring in hours. Granted we've moved from months to hours, but I want it from hours, to minutes, to seconds, and really, you know we can show how we can do that in minutes today with certain types of attacks. But, there's still the long breaches. >> That's a dramatic reduction, you know I know it's, that 206 whatever it is is an average of averages. >> For sure. >> But the delta between what you're seeing and your customer base is not explainable by, oh well the Servicenow customers just happen to be better at it or lucky year, it's clearly an impact that you're having. >> Well sure, let's be you know as honest as we can be here right? The, you know the people who are adopting security operations are forward thinking security customers so you would expect that they're better, right? And so your- there program should already be more mature than the average program. And if you look across those statistics, like 200 and some days, you know that includes four year long breaches, and it also includes companies that frankly don't pay as much attention to security as they should. But even if you factor all of that out, it's still a massive massive difference. >> So if I looked at the bell curve of your customers versus some of the average in that survey, you'd see, the the shift, the lump would shift way to the left, right? >> Correct. Correct. And, and you know we actually have a customer, Ron Wakely from ANP Financial Services out of Australia, who was just up on stage talking about a 60 percent improvement in his vulnerability and response time. So from identifying the vulnerabilities via Quaales, Rapid 7, Tenable, whoever their scanning vendor is, all the way through IT patching, 60 percent faster, and given that, I think it's something like 80 percent of vulnerabi- or 80 percent of attacks, come from existing vulnerabilities, that's big change. >> So do get- you got to level it when you're measuring things and you change the variable that you're measuring, as opposed to the number, right? That means you're doing a good thing. So to go from, from hours to minutes, is it continuous improvement, or are there some big, you know potential challenges that you can see that if you overcome those challenges, those are going to give you some monumental shifts in the performance. >> I, I think we're ready. I think when we come back next year, the numbers will be even better and this is why, so many of our customers started by saying "I have no process at all, I have manual, you know I'm using spreadsheets, and emails, and notebooks, you know, and trying to manage the security incident when it happens." So let me just get to a system of action, let me get to a common place where I can do all of this investigation. And that's where most of our production customers are so if you look across the ones who gave us the 29 hour and the 33 hour set, that really just getting that benefit from having a place for everybody to work together where we're going, but this is already shipping in our product is the ability to automate the investigation, so back to, back to the, you know, the poor 10 year old who didn't get to save the world, you know, now he gets to say, this entire investigation stage is entirely automated. So if I hand an analyst, for example, an infected server, there's 10 steps they need to do before they even make a decision on anything right? They have to get the network connections, get the running processes, compare them to the processes that should be on the system, look up on a reputation site all the ones that are wrong like all these manual steps. We can automate that entire process so that the analyst gets to make the decision, he's sort of presented the data, here's the report, now decide. The analogy I always use is the, the doctor who's sort of rushing down in an ER show, and somebody hands him an MRI or an X-ray and he's looking at it, you know, through the fluorescent, you know, lights as he's walking and he's like "oh" you know "five millileters of" whatever and "do this" right? >> Right. >> That's the way an analyst wants to work right? They want the data so they can decide. >> I tell you this is the classic way that machines help people do better work right? Which we hear about over and over and over. Let the machines do the machine part, collecting all the shitty boring data, um, and then present you know the data to the person to make the decision. >> Absolutely. >> Probably with recommendations as well right? With some weighted average recommendations >> Yeah and this is where it gets really exciting, because the more we start automating these tasks, you know the human still wants to make the decision but as we grow and grow this industry, one of the benefits of us being in a cloud, is we can start to measure what's happening across all of our customers, so when attack X occurs, this is the behavior that most of our customers follow, so now if you're a new customer, we can just say "in your industry, customers like you tend to do this". >> Right. >> Right? And really excited by what our engineering team is starting to put together. >> Do you have a formal, or at some point maybe down the road a formal process where customers can opt in to an aggregation of, you know we're all in this together we're probably going to share our breach data with one another so that we can start to apply a lot more data across properties to come to better resolutions quicker. >> Well we actually announced today something called trusted security circles. So this is a capability to allow all of our customers to share indicators, so when you're investigating an issue, the indicators are something that are called an indicator of compromise, or an IOC, so we can share those indicators between customers, but we can do that in an anonymous way right? And so you know, the analogy I give you is, what do you do when you lose power in your house? Right? You grab the flashlight, you check the breakers, and then you look out the window, because what are you trying to find out? >> Is anybody else out? >> Is anybody else out exactly. So, you can't do that in security, you're all alone, because if you disclose anything, you risk putting your company further in a bad spot right? Cause now it's reputation damage, somebody discloses the information, so now we've been able to allow people to do this anonymously right so it's automatic. I share something with both of you, you only see that I shared if it's relevant, meaning the service now instance found it in your own environment, and then if all three of us are in a trusted circle, when any one of us shares, we know it was one of the three, but we don't know which one. So the company's protected. >> So just anecdotally when I speak to customers, everybody still is spending more on prevention than on detection. And there's a recognition that that has to shift, and it's starting to. Now you're coming in saying, invest in response. Which, remember from our conversation last year is right on I'm super excited about that because I think the recognition must occur at the board room that you are going to get infiltrated it's the response that is going to determine the quality of your security. And you still have to spend on prevention and detection. But as you go to the market, first of all can you affirm or deny that you're seeing that shift from prevention to detection in spending, is it happening sort of fast enough, and then as you go in and advise people to think about spending on responding, what's their reaction? What are you finding is the, are the headwinds and what's the reception like? >> Sure. So you know to answer your first question about protection to detection, I would say that if you look at the mature protection technologies, right they are continuing to innovate, but certainly what you would expect a firewall to do this year, is somewhat what you expected it to do last year. But the detection category really feels like where there's a lot of innovation, right? So you're seeing you know new capabilities on the endpoint side network side, anomol- you're just seeing all sorts of diff- >> Analytics. >> Analytics, absolutely. And so uh, I do see more spent simply because more of these attacks are too, too nasty to stop, right? You sort of have to detect them and do some more analysis before you can make the decision. To your second question about, you know, what's the reception been when we started talking about response. You know, I haven't had a single meeting with a customer where they haven't said, "wow" like "we need that", right? It was very- I've never had anybody go "Well yeah our program is mature, we're fine, we don't need this." Um, the question is always just where do we start? And so we see, you know vulnerability management as one great place to start incident response is another great place to start. We introduced the third way to start, just today as well. We started shipping this new capability called vendor risk management, which actually acknowledges the the, you know we talked about the perimeter list network what five years ago? Something like that, we're saying oh the perimeter's gone, you know, mobile devices, whatever. But there's another perimeter that's been eroding as well, which is the distinction between a corporate network and your vendors and suppliers. And so your vendors and suppliers become massive sources of potential threat if they're not protected. And so the assessment process, you know, there's telcos who have 50,000 vendors. So you think about the exposure of that many companies and the process to figure out, do they have a strong password policy, right? Do they follow the best practices around network security, those kinds of things, we're allowing you to manage that entire process now. >> So you're obviously hunting within the service now customer-based presumably, right? You want to have somebody to have the platform in order to take advantage of your product. >> Sure. >> Um, could you talk about that dynamic, but also other products that you integrate with. What are you getting from the customers, do I do I have this capability- this is who I use for firewall who I use for detection do you integrate them, I'm sure you're getting that a lot. Maybe talk to that. >> Sure sure. So first off, it's important to share that the Servicenow platform as a whole is very easy to integrate with. There's API's throughout the entire system, you know we can very easily parse even emails, we have a lot of customers that you know have an email generated from an alert system, and we can parse out everything in the email and map it right into a structured workflow, so you can kind of move from unstructured email immediately into now it's in service now. But we have 40 vendors that we directly integrate with today and when I was here about a year ago, I think that number was maybe three or two. And so we're up at 40 now, and that really encompasses a lot of the popular products so we can for example, you know, a common use case, we talked about phishing a little bit right? You know, let me process a potential phishing email, pull out the URL, the subject line, all the things that might indicate bad behavior, let me look them up automatically on these public threat sources like Virus Total or Meta Defender, and then if the answer is they don't think it's bad, I can just close the incident right? If they think it's bad, now I can ask the Palo Alto Firewall, are you already blocking this particular URL, and if the Palo Alto Firewall says "yeah I was already blocking it", again you can close the incident. Only the emails that were known to be bad, and your existing perimeter capabilities didn't stop, did you need to involve people. >> I have to ask you, it goes back to the conversation we had with Robert Gates last year, but I felt like Stuxnet was this milestone, where the, the game just got escalated big time. And it went from sort of harmless, sometimes not harmless, really up the level of risk. Because now others, you know the bad guys really dug into what they could do, and it became pretty substantial. I was asking Gates generally about some future warfare in cyber, and he, this is obviously before the whole Russian hacking, but certainly Snowden and Wikileaks and so fourth was around. And he said, "The United States has to be very careful about how it responds. We have maybe many more capabilities but if we show our hand, others are going to see those weapons, and have access to those weapons, cause it's digital." I wonder as a security expert if you could sort of comment on the state of security, the future of that threat generically, or generally. Where do you see that going? >> Well there's a couple of things that come to mind as you're talking. Uh, one is you're right, Stuxnet was an eye opener I think for a lot of people in the industry that that, that these kinds of vulnerabilities are being used for, you know nation state purposes rather than, you know just sort of, uh random bad behavior. So yeah I would go back to what I said earlier and say that, um, we have to take the noise, the mundane off the table. We have to automate that, you're absolutely right. These sort of nation state attackers, if you're at a Global 2000 organization, right your intellectual property is valuable, the data you have about your employees is valuable, right all this information is going to be sought by competitors, by nation states, you have to be able to focus on those kinds of attacks, which back to my kind of War Games analogy, like that's what these people wanted to do, they wanted to find the needle in the haystack, and instead they're focusing on something more basic. And so I think if we can up the game, that changes things. The second, and really interesting thing for me is this challenge around vulnerability, so you talked about Gates saying that he has to be careful sort of how much he tips his hand. I think it was recently disclosed that the NSA had a stockpile of vulnerabilities that they were not disclosing to weaponize themselves. And that's a really paradoxical question right? You know, do you share it so that everybody can be protected including your own people, right? Imagine Acrobat, you find some problem in Acrobat, like well do you use it to exploit the enemy, or do you use it to protect your own environment? >> It's quite a dilemma. >> You- it's a huge dilemma cause you're assuming either they have it or they don't have the same vulnerability and so I'm fascinated by how that whole plays out. Yeah, it's a little frightening. >> And you know, in the land of defense, you think okay United States, you know biggest defense, spends the most money, has the, you know the most, you know, amazing machines whatever. Um, but in cyber, you know you presume that's the case, but you don't really know, I think of high frequency trading, you know, it was a lit of Russian mathmeticians that actually developed that, so clearly other states have, you know smart people that can you know create, you know, dangerous threats. And it's, it's- >> You only have to live once to, that's kind of the defense game. You got to defend them all, you have to bat 1000 on the defense side, or you know, get it and react, from the other guys side, he can just pow pow pow pow pow, you just got to get through once. >> So this is why your strategy of response is such a winner. >> Well this is where it comes back to risk as well right? At the end of the day you're right, you know a determined adversary you know, sorry to break it to everybody at some point is going to be able to find some way to do some damages. The question is how do you quantify the various risks within your organization? How do you focus your energy from a technology perspective, from a people standpoint, on the things that have the most potential to do your organization harm, and then, you know there's just no way people can stop everything unless you, you know unplug. >> And then there's the business. Then there's the business part of it too right? Cause this is like insurance when do you stop buying more insurance, you know? You could always invest more at what point does the investment no longer justify the cost because there's no simple answer. >> Well this is where, uh you know, we talked to chief information security officers all the time who are struggling with the board of directors conversation. How do I actually have an emotional conversation that's not mired in data on how things are going? And today they often have to fall back on stats like you know we process 5 million alerts per day, or we have, you know x number of vulnerabilities. But with security operations what they can do is say things like well my mean time to identify, you know was 42 hours, and this quarter it's 14 hours, and so the dollars you gave me, here's the impact. You know I have 50 critical vulnerabilities last quarter, this quarter I have 70, but only on my mission critical system, so that indicates future need to fund or reprioritize, right? So suddenly now you've got data where you can actually have a meaningful conversation about where things are from a posture prospective. >> These are the assets that we've, you know quantified the value of, these are the ones that were prioritizing the protection on and here's why we came up with that priority, let's look at that and, you know agree. >> Exactly. You know large organizations, I was talking to the CISO of a fortune ten, 50 I guess and he was sharing that it takes 40 percent of their time in incident response is spent tracking down who owns the IP address. 40 percent. So imagine, you spent 40 percent of a, you know 25 hour response time investigating who owns the asset, and then you find out it's a lab system, or it's a spare. You just wasted 40 percent of your time. But if you can instead know, oh this is your finance reporting infrastructure, okay you super high priority, let's focus in on that. So this is where the business service mapping, the CMDB becomes such a differentiator, when it's in the hands of our customers. >> Super important topic Sean Convery, thanks very much for coming back in the cube and, uh great work. Love it. >> It's great to be here, thanks for having me. >> Alright keep it right there everybody we'll be right back with our next guest, this is the Cube, we're live from Servicenow Knowledge 17 in Orlando. We'll be right back.

(upbeat electronic music) >> Hey, welcome back everybody. Jeff Frick here with theCUBE. We are live in downtown San Francisco, Moscone Center at the RSA conference. It's one of the biggest conferences, I think after like Salesforce and Oracle that they have in Moscone on the tech scene. Over 40,000 professionals here talking about security, I think it was 34,000 last year. It's so busy they can't find a space for theCUBE, so we just have to make our way in. We're really excited by our next guest, Ted Julian from IBM Resistance, Resilience, excuse me. >> Thank you, it's alright. >> And you are the co-founder of VP Product Management. >> That's right. >> Welcome. >> Thanks, good to be here Jeff, thanks. >> And you said IBM actually purchased a company, >> Ted: A year ago. >> A year ago. So happy anniversary. >> Ted: Yeah, thanks. >> So how is that going? >> It's great. Business is really going well, it's been thrilling to get our product in place and a lot more customers and really see it help make a difference for them. >> Yeah we, Jesse Proudman is a many time CUBE alumni, his company is Blue Box, also bought by IBM. >> Ted: Yes. >> A little while ago, also had a really good experience of, kind of bringing all that horse power. >> They know what they are doing. >> To what his situation was. So let's jump into it. >> Sure. >> Security, it's kind of a dark and ominous keynote this morning. The attack's surface is growing with our homes and IOT. The bad guys are getting smarter, the governments are getting involved, there's just not necessarily bad guys. What's kind of your perspective as you see it year after year acquisition? 40,000 professionals here focused on this problem. >> We are not winning. >> We are not winning? >> Unfortunately, I mean, I guess as a species. Again, what is it? We saw a survey recently from the Ponemon Institute. 70% of organizations acknowledge they didn't have an incident response plan. So you talk about that stuff in the keynote where sort of a breach was inevitable. What are you going to do? Well the thing you'd need to have is a response plan to deal with it, and 70% don't. Cost of a breach also, according to Ponemon Institute is up to $4 million on average, obviously they can be a lot larger than that. >> Right. >> So there's a lot of work to be done to do better. >> And then you hook up a new device, and they are on that new device as soon as it plugs into the internet. They say within an hour, they ran a test today. So is the, I mean where are we winning, Where are we getting better? I mean, I've heard crazy stats that people don't even know they've been breached for like 245 days. >> Ted: Yeah. >> Is that coming down? Are we getting better? >> Certainly the best in the business are, and really the challenge I think as an industry is to percolate that down through the rest of the marketplace. Everybody is going to be breached, so it's not whether or not you are breached, it's how you deal with it come the day, that's really going to differentiate the good organizations from the bad ones. And that's where we've been able to help our customers quite a bit by using our platform to help them get a consistence and repeatable process for how they deal with that inevitable breach when it happens. >> That's interesting. So how much if it is you know kind of building a process for when these things happen versus just the cool, sexy technology that people like to talk about? >> Oh, it's everything. I mean one of the hottest trends that you're going to be seeing all over the show is automation and orchestration. Which is critically important as part of the sort of you get an alert and how do you enrich that to understand that, once you understand that how can you quickly come to sort of a course of action that you want to take. How can you implement that course of action very efficiently? Those things are all important. Computers can help a lot with that but at the end of the day it's smart people making good decisions that are going to be the success factor that determines how well you do. >> Right, right. Another kind of theme that we are hearing over and over is really collaboration amongst the companies amongst the competitors, sharing information about the threat profiles, about the threats that are coming in to kind of enable everybody to actually kind of be on the same team. That didn't always used to be the case, was it? >> Well, people have been working on this for a while but I think what's been a challenge is getting people to feel comfortable contributing their data into that data set. Naturally they are very sensitive about that, right? >> Right. >> This is some of our most confidential information that we've had a security issue and we're really not you know, dying to give that out to the general public. And so I think it's been, the industry's been trying to figure out how can we show enough value back when that information's contributed to some kind of a forum to make people feel more comfortable about doing that? So I think we've seen a little bit of progress over this last year and they'll be more going forward, but this is a, It's marathon not a sprint, I think to solve that problem. But, it is crucial because if we can get to that point that's what ultimately allows us to turn the tables on the bad guys. Because they cooperate, big time, they are sharing vulnerabilities, they are sharing tactics, they are sharing information about targets, and it's only when the good guys similarly share what they're experiencing that we'll have that opportunity to turn the table on them. >> It's funny we had a Verizon thing the other night and the guy said if you are from the investigator point of view, it's probably like a police investigator. They see the same pattern over and over and over and over and over it's only when it's the first time it's happen to you that's it's unique and different. So really the way to kind of short-circuit the whole response. >> How do you find out you've been breached? There is short list. One, Brian Crebs, very famous reporter happens to find out, he tells you. Number two, FBI. >> They tell you. >> Unfortunately, that's usually, it's usually external sources like that as oppose to organization internal systems that tip them off to a breach. Another example of how we are doing better but we need to do a lot better. >> And then there's this whole thing coming up called IOT, right. And 5G and all these connected device in the home, our cars, our nest, So the attacks surface gets giant. Like I said, they said in the keynote, you plug something in the internet they are on it within an hour. How does that really change the way that you kind of think about the problem? >> It makes it a lot harder. The attack surface gets harder, gets bigger, the potential risks go up quite a bit, right. I mean you are talking about heart implants, or things like that which may have connectivity to some degree, then obviously the stakes are severe. But the thing that makes those devices even trickier is so often they're embedded systems, and so unlike your Windows PC's or your Mac where, I mean it's updating itself all the time. >> Right, right. >> And you barely even think about it, you turn it on one morning and there is a new update. A little harder to make those update happen on IOT kinds of devices, either because they're harder to get to or the system's aren't as open or people aren't use to allowing those updates to occur. So even though we may know about the vulnerabilities patching them up is even harder in an IOT environment typically than in a traditional. >> It's crazy. Alright, so give us a little update on Resilient. What exactly is do you guys do inside this crazy eco-system of protecting us all? >> Sure. So five or six years ago, myself and my co-founder John started the company and it was really was acknowledging that we've gone through the era of prevention, to detection and now it's all about response. And at the end of the day when organizations were trying to deal with that we saw them using ticketing systems, spreadsheet, email, chat I mean a mess. And so we built our platform, the Resilient IRP from the ground up specifically to help them tie together the people processing in technology around incident response. And that's gone amazing. I mean the growth that we've seen even before the IBM acquisition but afterwards has been breath taking. And more recently we been adding more and more intelligence in automation and orchestration into the platform, to help not only advise people what to do, which we've done forever, but help them do it, click a bottom and we'll deploy that patch or we'll revoke that user's privileges or what have you. >> Right. Yeah a lot of conversation about kind of evolution of big data, evolution of things like Sparks so that you know can react in real time as opposed to kind of looking back after the fact and then trying to go and sell something. >> For sure. And for us it's really empowering that human. It's either the enrichment activity where they'd normally go to 10 different screens, to look up different data about a malware thread or about vulnerabilities, we just spoon feed that to them right within the platforms so they don't have to have those 10 tabs opened in the browser. And after they'd had a chance to evaluate that, and they want to know what to do, again they don't have to go to another tool and make that action happen, they can as click a button within Resilient and we'll do that for them. >> Alright. Ted Julian, we are rooting for you. >> Ted: Thanks, yeah. >> IBM, give him some more recourses. He's Ted Julian and I'm Jeff Frick. You're watching theCUBE at RSA Conference 2017, at Moscone Center, San Francisco. Thanks for watching.