>> Live from San Francisco. It's the Cube covering artists. A conference twenty nineteen brought to you by for scout. >> Hey, Welcome back, everybody. Geoffrey here with the cue, We're at the arse. A >> conference in Mosconi. They finally finished The remodel. Looks beautiful in the rain is not coming in. Which is a good thing. We're excited. >> Have a next guests of many time Keep alumni. >> He's Sean Connery, the VP and GM of Security and Risk Business Unit at service now Song. Great to see you. It's great Sea again, Jeff. Thanks for having us. Absolutely. So it's been probably six months or so since we last talked What's been going on its service down the security space? >> Well, one of the things that's been most interesting is, as our customers have started to get into production now with the security capabilities as well as our risk capabilities there, realizing the benefits of having I t security and risk on the same platform. So when we were talking last time, we're talking a lot about, you know, security, hygiene, vulnerability, management, security incidents and that's all very much mainstream now on R and R install base. But now folks are saying, Wait a minute if I've got it. Data risk, data, compliance, data and security and vulnerability to it on the same platform. What kinds of things could I now do that >> I couldn't do before? Right? So what are they doing? >> Well, big thing they're doing is they're starting to manage risk in a holistic way by leveraging operational data on the platform. So if you think about the way risk tools have historically worked, you know, you're basically in what is essentially a glorified spreadsheet building dashboards for how to represent the various risks to your organisation. But if you think about what auditors and compliance people need to do there, essentially checking the state of all these compliance tasked throughout an organization. But it's essentially a survey. Like I'll ask you like, Hey, tell me about the data protection strategy for your application. You have to tell me while we're using crypto or we're not using krypto. The data is in this country. Well, all that date is already in service now. So how do you now automate? So we take all those mundane tasks around compliance and risk and be able to roll that up to clear, visible risk indicators manage that in a continuous way, what we call continuous monitoring for risk, which is just a brand new way to think about this problem, >> right? I'm curious how the changing of the assessment of the risk changes over time you've got the compliance stuff, which you just have to do, right? You have to check the box you've got, you know, kind of your business crown jewels. But then now we're seeing with kind of these nation state attacks and political attacks and sees things that aren't necessarily just trying to steal your personal information and not trying to steal your your your big money. But they're looking for other data that maybe you wouldn't have assigned an appropriate risk level in a time before because you were kind of really protecting the money and the and the and the obvious crown jewels. How >> does that >> how's that risk kind of profile continue to modify and change over time? >> I think that that's gonna be the state, uh, for you know, forever, right? The right profile. Going to continue to modify. I think what's important for security team's risk teams teams is to make sure they're actually using risk as we talked about last time. Is there North Star for guiding their security investments were here surrounded, like in the lion's den. All these security vendors, I was just walking the halls, all the startups that air, trying to do different things. And, you know, there's always gonna be another tool that somebody's going to want to sell you to solve a problem. But ultimately you need to be looking at the risks to your organisation. As you said, the evolving risk people shipped a cloud. You know, they deal with nation state attacks. They deal with, you know, whatever is going to come tomorrow. And how do you guide your security investments in favor of that? What we're seeing it service now is a renewed interest in hygiene and back to basics. How do I manage my vulnerabilities? Is my patch program effective? How am I dealing with exceptions and that? What's that channel to it? Because, as you know, almost everything about security was actually done by from an operational standpoint. So that channel of communication is something that we've been really heavily focused on. >> Yeah, it's a pretty state, As you say. We're surrounded by many shiny many bright, shiny lights, and people have something yourself. But you can't you can't buy your way out of this thing. You can't technology. You're way out of it. You can't hire out of it. So you really need to use a kind of a sophisticated strategy of integrated tools with the right amount of automation to help you get through this morass. >> Absolutely. And one of the ways we liketo help our customers think about >> this is, >> you know, your teams want to be focused on the interesting parts of their jobs. They came into the security industry because they want to help save the world right now, they watch some movie, they imagine some amazing role. And then when they get into the role, if they're dealing with mundane, you know, uh, fishing response. You know, vulnerability, prioritization. It just, you know, it takes the wind out of their sails, right? But if you can, if you can automate those mundane task using a digital work folk platform like service now, then suddenly free that time up so they could be focused on what you were just describing much more advanced attacks where you want creative humans. Sort >> of. This is so funny, right? It's almost like any type of a job like painting. You know the more time he spilled, spend prepping the house and sanding everything except painting better. The painting goes, and it's kind of the same thing here. It's the Boring is the mundane is applying the patches, as you said, but it's all of those things that make the exciting part when you get there. Now you can focus on real problems was just shoot, you know, we forgot to apply that match two weeks ago, >> you reminded me. I think my dad taught me a measure twice cut once that. S O s. Oh, it's absolutely right. So one way to think about that is that a concrete example is attack surface. So people, a lot of people on this hall are talking about your attack surface. What are the areas that can be attacked within your organization? Well, one of the best ways to reduce your attack surfaces to manage your vulnerability program in an effective way. Because if you can deal with patching much more efficiently patching the right assets the ones that have active exploits that are available, then suddenly you're inflow of incidents reduces, and then you automate the incidents that remain. And then suddenly you've got a mass the time savings versus If you just sort of scattershot said All right, T Max is going to work on vulnerabilities. Team wise, going toe workout incidents. They're really not gonna coordinate. And they're especially not gonna coordinate with tea. That's when things start to fall apart. >> Right. Right. So we're here in the Fourth Scout Booth. Um, so how long have you guys been working for Scout? How does how did the two systems work together? >> Yeah. So we've been working for Scott for awhile. We've actually got a number of integrations that are live on the surface now store. Uh, in fact, we have customers in production using for scout. So we really see, with force got in service now is a couple of things. First off, just on the asset management asset Discovery side of the house for Scott has a wealth of capabilities around giving us information about endpoint assets, whether they be traditional assets or coyote assets. And we can feed that directly into the seem to be our configuration management database. Right To help manage the overall assets within an organization that's sort of step one for Scout is a terrific partner to help pull that data in. And then the second thing we can do is we can men using the security capabilities inside service. Now we can trigger actions inside for scouts environment to then block re mediate, isolate. When we see something bad happening related to an incident or a vulnerability >> that we discover, right, I just can't help, but they're gonna know Asset management is eighty beady little piece of of the service now offering and all we hear about force. God just going in and finding out all kinds of stuff that you had out there that can. And I'm like, who found it first. You guys in the asset management or were the four scout sniffer? But I I imagine a lot of that stuff is not in your asset management system because it's things that people have just plugged in here and there and along the way. >> Yeah, well, we've got our we have a discovery capability is part of service now, which is which is fantastic. And that is primarily focused on server assets and the relationship between those server assets. So you want to understand, What is the total footprint of my AARP infrastructure? The load balancers, the network equipment, the servers. We can do that very, very well. What? What we really rely on coming like forced God to help us with is like you said, somebody plugged something in on the wireless network on the local network. You know, we don't know what it is. And for school can help us, you know? What is it? Where is it on DH that that information's changing so quickly that it really helped us out tohave having integrated solution. We've actually got Customersdata, Utah was in production now, with sixty thousand devices being managed with force got in service now working together, it's curious >> if you somehow integrate those back in and say, You know, it's not just me plugging in my phone, but it's actually something that needs to be more actively managed. If there's a discovery process there within service in ours, and it's mainly just temporary stuff, plug it in, plug it in and out, plug it in, plug it out. >> Yeah, I wouldn't think of the integrations with force got his temporary in anyway. It's just more. It's more dynamic environment so that our people are people are plugging systems in, you know, typically, you want to do that in an agent lis way, right? You don't want to have a heavyweight agent on the end point. And that's what force guys really known for discovering, analyzing what these devices are. And for us, the more incoming data we have into our CM, D B, the more valuable that is to our customers. And so we're really excited Team to do more with force. Go >> right. All right, I give you the last word. What priorities? For twenty nineteen. >> Prices for twenty nineteen is really to build on what we what we just announced. So Madrid are major service not released. Just hit today, right? Thanks. Thanks very much. We have exploit enrichments and our vulnerability system now so we can know, you know. Is there a phone? How How How critical is it? But also has it been exploited or not? Right. Is it publicly available? Exploit doesn't require local access, remote access so that we've done that on the security side. Wait. Did some continuous monitoring that we already talked about. But the big thing for us, that service now is mobile in twenty nineteen. Right? So big capability we announced, is native mobile capabilities. So essentially, we're positioning everyday work is the next killer out for mobile? Because, as you know, service now is all about Inter connecting all these various departments and making these classic processes digital work clothes. And now you can have that same sort of consumer grade mobile experience on your enterprise infrastructure. And so being able to build that out about all of our products and continue to drive Alodor customers are really excited about it. >> I just can't help But think of Fred coming out. I think it like twenty fifteen with, like, the first. I might be off by year to the first, You know, service now on mobile and the crowd went wild. >> It was awesome at the time. Right now, that was a that was a essentially a scaled down web capability. Right foot inside of a container. Now, this is Native mobile. So GPS face I d three d touch to use IOS. Examples are all capabilities you can expose in a code lis environment tio to developers so you could build a custom application custom workflow. And you don't have to know anything about how to code and the APC and get pushed down to users devices right away. >> Very good. Well, I think that's a good place to focus on. Right, Sean? Well, thanks for taking a few minutes to stop >> by course. Thanks, Tio. Pleasure. All right. He shot on. Jeff. You're watching the cube? Where are say in San Francisco? Thanks for watching. >> We'LL see you next time.

>> Announcer: Live from Las Vegas, it's theCUBE. Covering ServiceNow Knowledge 2018. Brought to you by ServiceNow. >> Welcome back to Las Vegas, everybody. This is theCUBE, the leader in live tech coverage and we're here at Knowledge18. This is our sixth CUBE at ServiceNow Knowledge. Jeff Frick is my co-host. Jeff when we started covering ServiceNow Knowledge I think it was under 4,000 people. >> The Aria. >> At The Aria, it was a very hip conference, but now we're talking about 18,000 people at K18. How ironic. Sean Convrey is here. He's the Vice President and General Manager of the ServiceNow Security Business Unit. Welcome back to theCUBE, it's good to see you again, Sean. >> It's great to be back. >> So you know I'm a huge fan of your security initiative because you focused what, in our opinion, is really the real problem which is response. You're going to get hacked, you're going to get penetrated. It takes almost a year to find out when somebody has infiltrated your organization, they're exfiltrating data. You guys are focused on that problem. So, really have a lot of hope for this business in terms of addressing some of those challenges. But, give us the update on the ServiceNow Security Business. >> Sure yeah, so the business is continuing to grow nicely. I think we released at the end of 2017 on our earnings report that security and the other emerging businesses met their aggressive sales targets from 2017. So, we're seeing, you know we're into the hundreds of customers stage now. We've got very mature customers that are deployed in production. I think almost 40% of our customer base is Global 2000 so that's one of the benefits of being on the ServiceNow platform is, we aren't perceived as a 1.0 or a 2.0, even though we've only been around for two years, you know people are thinking of us as an application on top of an already very stable platform. >> One of the things we talk about a lot, you and I have talked about is, what's the right regime for security? All to often it's the sec-ops problem, or it's an I.T. problem. You know, we preach that it's a team sport, it's everybody's problem, but when you extend into an organization from whatever ITSM, or whatever it is, to whom to you sell? Who are your constituents? Are they figuring out that right regime? Or is it really still the sec-ops team? >> Yeah, so there's two major use cases in the security operations product. One is focused on security incident response, and that we're definitely selling primarily to the SOC, to the security operations center. But, we have another growing use case on vulnerability response, which is more the proactive side where we're addressing, really just security good hygiene. How do you reduce the attack surface area in your environment by having less vulnerable software in your environment, and that has a very tight tie to I.T. Actually, they both have very tight ties to I.T. Because in almost all cases, I.T. and I.T. operations are the actual execution arm of whatever changes you need to make to your infrastructure in response to something bad happening. >> Right, it's funny because we were at RSA this year, we've gone for a couple years. 40,000 people, that's a crazy big conference, but a couple of really interesting things that came out this year. One is that, you're going to get penetrated, right, so just a whole change of attitude in terms of not necessarily assuming you won't be, but how are you going to react when you are? How are you going to find out? And the other thing that comes up time and time again when you hear about breaches is this hygiene issue. It's, somebody forgot to hit a switch, forgot to do a correct setting, forgot to do a patch, all these really kind of fundamental things that you need to do at a baseline to at least give you a chance to be able to put up a defense against these people. >> We actually just did a study with Ponemon Institute of nearly 3,000 security professionals focused in on this hygiene problem, on vulnerability response, and some of the stats are just staggering. 70% of respondents said security and I.T. don't have the same visibility into applications and systems. 55% said they spend more time coordinating a response among teams manually than they actually do in the act of patching itself. People are losing 12 days per update in manual coordination, because think about it, you've got not just I.T. and security, but you've got GRC team, you've got the business owner, you've got the application owner, it's not just two folks sitting down at the table, it's a huge team looking at a multi-hundred thousand long spreadsheet of vulnerabilities that they're trying to respond to. >> It's funny, we talk often, it's an often quoted stat, how many days have you been penetrated before you figure it out, but what's less talked about is what you just talked about, is once you find out, then what's the delay where you can start taking proactive action and start taking care of all of these things. That's just as complicated, if not more. >> That's what the study actually bore out. So, one of the things we did was, we broke the data up into those that had been breached and those that had not been breached, and it was about 50/50. But, the biggest difference between the ones that had had a breach in the last two years and the ones that didn't, is the ones that had not been breached self-reported they're vulnerability response program as 40% more effective than those that were breached. So, this hygiene thing this is just fundamental. Actually, my personal theory is, it's not as exciting and undertaking. It's much more fun to talk about how Thor'd the bad guy that was knocking at your front door, trying to find a way in. The sort of proactive, you know execution of a strategy to reduce your attack surface area is much less sexy. >> So, we've always talked about that magic number, or scary number, of the number of days that it takes a company to realize they've been penetrated. Whatever, it ranges from 225, I've seen them higher than 300 and it's a couple years in now, and I'm curious as to what kind of data you have within your customer base. Have you been able to compress that time, and as Jeff points out, even more importantly, have you been able to compress the response time? >> So there's two stats I'll give you. One is, for many organizations they had zero reporting within their own organization. So if they were trying to report out, they were in the land of spreadsheets and emails, so they couldn't tell you how big an impact it had. We actually commissioned a study with Forrester. They did a total economic impact, a TEI study, with our sec-ops customers and found out that the average reduction in their incident response time was 45% improvement, or 45% reduction in their response time, which is just dramatic. That's very meaningful to an organization, especially when there's a prediction of an almost two million cyber-security job shortfall in 2019. So there simply aren't the people to solve this problem, even if you could hire your way out of this. >> So what you would expect is if you could reduce that response time, obviously you're freeing up resource, and then hopefully you could create some kind of flywheel effect, in terms of improving the situation. It's early, but what have you seen there? >> That's exactly what we're seeing. So we're seeing people take the things that are painful and frequent and trying to automate those tasks so that they don't occur as often and require people's time. The analogy that I always use is, if you've watched a medical drama, you always see the doctor racing down the hallway, holding up an X-ray to the fluorescent lights and making a call, telling the nurse five milliliters of this or 10 milliliters of that. >> Stat, stat, stat. >> It's always stat. >> Whatever that means. >> They're saving the day right? They're saving the day. That's what a security person wants to feel like. They want to feel like they're making that insightful call, in the moment, and saving the day, but instead, they're the doctor, they're the nurse, they're the orderly, they're the radiologist, they're the administrative people. They have to play all those roles, and what security automation is really about is, let's take those mundane tasks that you don't like anyway, and get rid of them so you can focus on what truly matters. >> It's such an important piece because like I said, RSA, there's 40,000 people, ton of, ton of vendors, and the CISO cannot buy all those solutions, right? And for you guys, to find a place to fit where you can have nice ROI because you just can't buy it all and to me it's kind of like insurance. At some point you just can't buy more insurance, you can just buy and replace whatever it is that you're insuring, so it's a real interesting kind of dilemma, but you have to be secure. You don't want to be in the Wall Street Journal next week. >> Right. >> Tough challenge. >> It's a very tough challenge and the notion that you can find a product to buy for every problem you have is something that the security community, if you go to RSA, it feels that way, right? Like, "Oh I just need to buy another thing." But, organizations have on average 80 security tools already. So, the challenge is how do you actually reframe and think about prioritization in a different way? So we're actually seeing our customers start to take advantage of the governance risk and compliance capability, that are also part of ServiceNow to use risk as a North Star for their security investments rather than just saying, "Oh this is the latest attack so I need to go buy a thing "that stops that attack." Saying instead, what are my most valuable assets? What is the financial impact of a breach to those services? How do I invest accordingly? >> I was watching a CUBE interview, I think it was from KubeCon, John Furry was doing an interview, and the gentleman he was interviewing said, "The problem with security is for years, organizations "thought they could just buy some piece of technology, "install it, and solve the problem." Couldn't be further from the truth, right? So, describe what you're seeing as to those who are successful and best practice as to solving the problem. >> Sure, well that thinking you can buy your way out of the problem goes all the way back to the early days of firewalls. I mean, I remember earlier in my career trying to convince people that a firewall by itself wasn't enough. So we're seeing in organizations that are adopting best practices around response, is they're taking a much more structured approach to how they respond to the most common attacks. Things like, suspected phishing email, right? Processing a phishing email that's reported by an employee, by a user, takes anywhere from 15 to 20 minutes to check manually to see if it really is phishing or not. You know, with ServiceNow Security Operations we can automate that down to seconds and allow that time for an analyst to go back to focusing on maybe a more advanced attack that does require more human ingenuity to be applied. >> Right, the other thing that keeps coming up time and time again within the ServiceNow application and the platform, is you like having lots of different data sources to pull from. You like being kind of that automated overflow and workflow to leverage those investments for the boxes that they do have in the systems and all those things. You want to use them, but how do you get the most value out of those investments as well? >> Exactly, we're seeing that most organizations don't feel that they're getting the value out of the assets that they've already invested in as well. So, to steal one of our CEO's lines, he talks about this idea of one plus one plus one equals magic. The idea that if you can bring together the right pieces of information you can create this transformational outcome and I think with security technology, if we can bring the data and the insights together on a common platform that allows you to investigate in a more automated way, to draw on the insights that you need from the various systems, and then to respond in the right capacity at the right time, it's a completely different way of solving this problem that I think we are just beginning to explore. >> And a whole nother place to apply A.I. And machine learning down the road as well. So, you can start automating the responses at that tier, and a whole nother level of automation to get the crap that I don't need to pay attention to off my screen, so that I can focus on the stuff that's most important. >> Oh absolutely, I think the headroom in the response category of technology, we're just beginning to see what's going to be possible as we continue to go down this path. >> Can you talk about the ecosystem a little bit? Obviously it's critical. Just to be clear, ServiceNow it not trying to replace Palo Alto Networks, you know, or other security tools. You partner with those guys much in the same way as you're not trying to replace Workday and SAP and HR. Talk about that a little bit, the partner ecosystem, how that's growing and what role they play, where they leave off, and where you pick up. >> Absolutely. So, as you said, we're not in the business of building prevention technology, detection technology, we are all about taking the investments you've already made and bringing them together. So, we consider ourselves a neutral player in this market. We integrate with all sorts of different security technologies because again, the goal is, let's take all these insights that are already in the various pieces of infrastructure. You know, we had one of our customers onstage yesterday during our keynote describing swivel chair. This notion of, I'm swiveling from console to console to console and I'm burning time. If you can give me one place where I can bring that data together, it's really valuable. So, we're quite different than many other ServiceNow products in that, it's often not a human being that initiates the request. You know, a human says, "hey my laptop needs help," right? But, in security it's a third party tool that says, "Hey, go take a look at service X, we're seeing "some weird behavior there." >> So, staying on the ecosystem for a minute. You know, big space; security, crowded space. You were just at RSA. >> It was crazy. >> Crazy, tons of startups. When I talk to startups, in fact I was talking to one the other day, it's a phishing startup, guys out of the NSA doing some really interesting stuff. They got to place bets, small companies, and I'm like, "Have you seen what ServiceNow is doing? "It's kind of an interesting play. "You might be able to participate in "that ecosystem someway, somehow." Is it reasonable to think that startups actually can participate, how can they participate? Can they bring their innovation to you? Or are you really looking for established players with an installed base that you can draft off of? >> Sure, we're actually doing both right now. So, you can think about it, you know, being a new player in the security community, credibility is something we are always seeking to grow and develop over time. So, while we really like to integrate with the large, established security vendors that our customers expect us to integrate with, we also love talking to the innovative startups and integrating with them as well. So, we have a whole technology partner program that allows people to tie into the ecosystem. We have a whole business development team at my organization where we work actively with these companies to help them take best advantage of what integrating with ServiceNow can do. >> I think it's key. If you think about the innovation sandwich we often talk about, for years this industry has marched to the cadence of Moore's Law. It was doubling microprocessor speeds every two years that drove innovation. That was nice, that got us a long way, but seems like innovation today is a combination of data, applying machine intelligence, and cloud, cloud economics. And part of cloud economics you get, scale economies, zero marginal costs at volume, but it's also the ability to attract startups. We see that as critical for innovation. Do you agree? >> Yeah, absolutely. I think that the innovation we are seeing in the security world overall, I think is going to continue to grow, as you saw at RSA, there is always another several hundred vendors it seems like, that are out there. And I think we have, as an industry, toyed with the idea of a suite or consolidation. It's always been, next year is going to be this massive consolidation and it's never seemed to really happen and what I'm thinking is this notion of something like what security operations can do from ServiceNow, where you're sort of making a suite by building an abstractional error that integrates all the technology. So you get the benefits of a suite, while still being able to go best of breed with the individual technologies that you want. >> Yeah, consolidation of technologies and becoming safer every year. Those are two things that haven't happened. Hopefully Sean's ServiceNow can help us with that problem. Put a bow on Knowledge18. What's the takeaway? >> The takeaway for us is that security automation and security orchestration is now here, right? Two years ago, the conversation was "What is ServiceNow doing in security?" Now my conversations with customers are, "I understand, I'm looking at this market overall. "I see the value that it can provide to me." We've got customers on stage, we've got customers leading sessions that are talking about their own transformational experience. So I think the technology is here. Gardner has labeled this category: security orchestration, automation, and response. Which is big for the industry overall. So I think it's here now, and I think we've got a great capability tying into a common platform and of course tightly tying to I.T., where many of our 4,000 customers already are using ServiceNow. >> Who's your favorite superhero? >> Wolverine, no doubt. >> John: Alright, you know why I'm asking. (laughing) >> I don't know why you're asking. >> Oh come on, you're the one that told me that all security guys, when they're little kids, they dreamed about saving the world, so you've got to have a favorite superhero. >> Well, Wolverine's a pretty dark guy, I don't know that that works very well. >> Sells more movies. (laughing) Sean, thanks very much for coming on theCUBE. >> Thanks so much. >> Alright, keep it right there everybody. We'll be back with our next guest right after this short break. You're watching theCUBE live from ServiceNow Knowledge18. (upbeat music)

>> Announcer: Live from Orlando, Florida, it's the Cube. Covering Servicenow, Knowledge 17. Brought to you by Servicenow. >> Welcome back to Orlando everybody this is the Cube the leader in live tech coverage, we go out to the events, we extract the signal from the noise, and we are here for our fifth year at Knowledge this is Knowledge 17, Sean Convery's here he's the general manager of the security business unit at Servicenow, an area that I'm very excited about Shawn. Welcome back to the Cube, it's good to see you again. >> It's great to be here, thanks for having me. >> So let's see you guys launched last year at RSA we talked in depth at Servicenow Knowledge about what you guys were doing. You quoted a stat the other day which I thought was pretty substantial at the financial analyst meeting, 1.1 million job shortfall in cyber. That is huge. That's the problem that you're trying to address. >> Well it's unbelievable, I was- you know we were just doing the keynote earlier this morning and I was recounting, most people in security get in it because they have some, you know desire to save the world right? To to- they watched a movie, they read a book, they're really excited and motivated to come in- >> What's was yours, was it comic book, was it- >> It was, uh, War Games with Matthew Broderick, I was 10 years old which totally dates me, movie came out in '83 so nobody has to look it up. (laughing) And you know I was just, you know blown away by this idea of using technology and being able to change things and the trouble is analysts show up to work and they don't have that experience, and nobody's expected, but they're not even close right? They wind up being told okay here's all this potential phishing email, we'd like you to spend 20 minutes on each one trying to figure out if it actually is phishing. And there's 600 messages. So tell me when you're done and I'll give you the next 600 messages. And so it's not motivating >> Not as sexy as War Games. >> It's not as sexy as War Games exactly. And then the CICO's say, well I can't even afford the people who are well trained. So I hire people right out of school, it takes me six months to train them, they're productive for six months, and then they leave for double their salary. So you wind up with a, sort of a 50 percent productivity rate out of you new hires, and it's just, it's just a recipe for for the past right? You know, we need to think more about how we, how we change things. >> So let's sort of remind our audience in terms of security, you're not building firewalls, you're not, you know competing with a lot of the brand name securities like MacAfee or FireEye, or Palo Alto networks, you're complementing them. Talk about where you fit in the security ecosystem. >> Sure. So if you boil down the entire security market, you can really think about protection and detection as the main two areas, so protection think of a firewall, an antivirus, something that stops something bad, and think of detection as uh, I'm going to flag potentially bad things that I think are bad but I'm not to certain that I want to absolutely stop them. And so what that does is it creates a queue of behavior that needs to be analyzed today by humans, right? So this is where the entire SIM market and everything else was created to aggregate all those alerts. So once you've got the alerts, you know awesome, but you've got to sort of walk thought them and process them. So what Servicenow has focused on is the response category. And visualization, aggregation is nice, but will be much better is to provide folks the mechanism to actually respond to what's happening. Both from a vulnerability standpoint, and from an incidence standpoint. And this is really where Servicenow's expertise shines because we know workflow, we know automation, we know about system of action, right? So that's our pedigree and IT frankly is several years ahead of where the security industry is right now until we can leverage that body of expertise not just with Servicenow, but with now all of our partners to help accelerate the transformation for security team. >> So I got to cut right to the chase. So last year we talked about- and of course every time we get a briefing for instance from a security vendor, where- we're given a stat that is on average it takes 200 sometimes you've seen as high as 300 but let's say 200 days to detect an incident then the answer is so buy our prevention, or our detection solution. >> Yeah. >> I asked you last year and I tweeted out, you know a couple days ago is, has Servicenow affected that? Can you affect- I asked you last year, can you affect that, can you compress that timeframe, you said "we think so." Um what kind of progress have you made? >> Sure so you have to remember about that 200 day stat that that is a industry average across all incidents right? So the Ponemon institute pulls this data together once a year, they survey over 300 companies, and they found that I think it's 206 days is the average right now. And so to identify an- a breach, and then another 75 days to contain it. So together it's nine months, which is a frighteningly long period of time. And so what we wanted to do is measure across all of our productions security operations customers what is their average time to identify and time to contain. So it turns out, it's so small we have to convert it to hours. It's 29 hours to identify, 33 hours to contain, which actually is a 160x improvement in identification, and a 50x improvement in containment. And so we're really excited about that. But you know, frankly, I'm not satisfied. You know, I'm still measuring in hours. Granted we've moved from months to hours, but I want it from hours, to minutes, to seconds, and really, you know we can show how we can do that in minutes today with certain types of attacks. But, there's still the long breaches. >> That's a dramatic reduction, you know I know it's, that 206 whatever it is is an average of averages. >> For sure. >> But the delta between what you're seeing and your customer base is not explainable by, oh well the Servicenow customers just happen to be better at it or lucky year, it's clearly an impact that you're having. >> Well sure, let's be you know as honest as we can be here right? The, you know the people who are adopting security operations are forward thinking security customers so you would expect that they're better, right? And so your- there program should already be more mature than the average program. And if you look across those statistics, like 200 and some days, you know that includes four year long breaches, and it also includes companies that frankly don't pay as much attention to security as they should. But even if you factor all of that out, it's still a massive massive difference. >> So if I looked at the bell curve of your customers versus some of the average in that survey, you'd see, the the shift, the lump would shift way to the left, right? >> Correct. Correct. And, and you know we actually have a customer, Ron Wakely from ANP Financial Services out of Australia, who was just up on stage talking about a 60 percent improvement in his vulnerability and response time. So from identifying the vulnerabilities via Quaales, Rapid 7, Tenable, whoever their scanning vendor is, all the way through IT patching, 60 percent faster, and given that, I think it's something like 80 percent of vulnerabi- or 80 percent of attacks, come from existing vulnerabilities, that's big change. >> So do get- you got to level it when you're measuring things and you change the variable that you're measuring, as opposed to the number, right? That means you're doing a good thing. So to go from, from hours to minutes, is it continuous improvement, or are there some big, you know potential challenges that you can see that if you overcome those challenges, those are going to give you some monumental shifts in the performance. >> I, I think we're ready. I think when we come back next year, the numbers will be even better and this is why, so many of our customers started by saying "I have no process at all, I have manual, you know I'm using spreadsheets, and emails, and notebooks, you know, and trying to manage the security incident when it happens." So let me just get to a system of action, let me get to a common place where I can do all of this investigation. And that's where most of our production customers are so if you look across the ones who gave us the 29 hour and the 33 hour set, that really just getting that benefit from having a place for everybody to work together where we're going, but this is already shipping in our product is the ability to automate the investigation, so back to, back to the, you know, the poor 10 year old who didn't get to save the world, you know, now he gets to say, this entire investigation stage is entirely automated. So if I hand an analyst, for example, an infected server, there's 10 steps they need to do before they even make a decision on anything right? They have to get the network connections, get the running processes, compare them to the processes that should be on the system, look up on a reputation site all the ones that are wrong like all these manual steps. We can automate that entire process so that the analyst gets to make the decision, he's sort of presented the data, here's the report, now decide. The analogy I always use is the, the doctor who's sort of rushing down in an ER show, and somebody hands him an MRI or an X-ray and he's looking at it, you know, through the fluorescent, you know, lights as he's walking and he's like "oh" you know "five millileters of" whatever and "do this" right? >> Right. >> That's the way an analyst wants to work right? They want the data so they can decide. >> I tell you this is the classic way that machines help people do better work right? Which we hear about over and over and over. Let the machines do the machine part, collecting all the shitty boring data, um, and then present you know the data to the person to make the decision. >> Absolutely. >> Probably with recommendations as well right? With some weighted average recommendations >> Yeah and this is where it gets really exciting, because the more we start automating these tasks, you know the human still wants to make the decision but as we grow and grow this industry, one of the benefits of us being in a cloud, is we can start to measure what's happening across all of our customers, so when attack X occurs, this is the behavior that most of our customers follow, so now if you're a new customer, we can just say "in your industry, customers like you tend to do this". >> Right. >> Right? And really excited by what our engineering team is starting to put together. >> Do you have a formal, or at some point maybe down the road a formal process where customers can opt in to an aggregation of, you know we're all in this together we're probably going to share our breach data with one another so that we can start to apply a lot more data across properties to come to better resolutions quicker. >> Well we actually announced today something called trusted security circles. So this is a capability to allow all of our customers to share indicators, so when you're investigating an issue, the indicators are something that are called an indicator of compromise, or an IOC, so we can share those indicators between customers, but we can do that in an anonymous way right? And so you know, the analogy I give you is, what do you do when you lose power in your house? Right? You grab the flashlight, you check the breakers, and then you look out the window, because what are you trying to find out? >> Is anybody else out? >> Is anybody else out exactly. So, you can't do that in security, you're all alone, because if you disclose anything, you risk putting your company further in a bad spot right? Cause now it's reputation damage, somebody discloses the information, so now we've been able to allow people to do this anonymously right so it's automatic. I share something with both of you, you only see that I shared if it's relevant, meaning the service now instance found it in your own environment, and then if all three of us are in a trusted circle, when any one of us shares, we know it was one of the three, but we don't know which one. So the company's protected. >> So just anecdotally when I speak to customers, everybody still is spending more on prevention than on detection. And there's a recognition that that has to shift, and it's starting to. Now you're coming in saying, invest in response. Which, remember from our conversation last year is right on I'm super excited about that because I think the recognition must occur at the board room that you are going to get infiltrated it's the response that is going to determine the quality of your security. And you still have to spend on prevention and detection. But as you go to the market, first of all can you affirm or deny that you're seeing that shift from prevention to detection in spending, is it happening sort of fast enough, and then as you go in and advise people to think about spending on responding, what's their reaction? What are you finding is the, are the headwinds and what's the reception like? >> Sure. So you know to answer your first question about protection to detection, I would say that if you look at the mature protection technologies, right they are continuing to innovate, but certainly what you would expect a firewall to do this year, is somewhat what you expected it to do last year. But the detection category really feels like where there's a lot of innovation, right? So you're seeing you know new capabilities on the endpoint side network side, anomol- you're just seeing all sorts of diff- >> Analytics. >> Analytics, absolutely. And so uh, I do see more spent simply because more of these attacks are too, too nasty to stop, right? You sort of have to detect them and do some more analysis before you can make the decision. To your second question about, you know, what's the reception been when we started talking about response. You know, I haven't had a single meeting with a customer where they haven't said, "wow" like "we need that", right? It was very- I've never had anybody go "Well yeah our program is mature, we're fine, we don't need this." Um, the question is always just where do we start? And so we see, you know vulnerability management as one great place to start incident response is another great place to start. We introduced the third way to start, just today as well. We started shipping this new capability called vendor risk management, which actually acknowledges the the, you know we talked about the perimeter list network what five years ago? Something like that, we're saying oh the perimeter's gone, you know, mobile devices, whatever. But there's another perimeter that's been eroding as well, which is the distinction between a corporate network and your vendors and suppliers. And so your vendors and suppliers become massive sources of potential threat if they're not protected. And so the assessment process, you know, there's telcos who have 50,000 vendors. So you think about the exposure of that many companies and the process to figure out, do they have a strong password policy, right? Do they follow the best practices around network security, those kinds of things, we're allowing you to manage that entire process now. >> So you're obviously hunting within the service now customer-based presumably, right? You want to have somebody to have the platform in order to take advantage of your product. >> Sure. >> Um, could you talk about that dynamic, but also other products that you integrate with. What are you getting from the customers, do I do I have this capability- this is who I use for firewall who I use for detection do you integrate them, I'm sure you're getting that a lot. Maybe talk to that. >> Sure sure. So first off, it's important to share that the Servicenow platform as a whole is very easy to integrate with. There's API's throughout the entire system, you know we can very easily parse even emails, we have a lot of customers that you know have an email generated from an alert system, and we can parse out everything in the email and map it right into a structured workflow, so you can kind of move from unstructured email immediately into now it's in service now. But we have 40 vendors that we directly integrate with today and when I was here about a year ago, I think that number was maybe three or two. And so we're up at 40 now, and that really encompasses a lot of the popular products so we can for example, you know, a common use case, we talked about phishing a little bit right? You know, let me process a potential phishing email, pull out the URL, the subject line, all the things that might indicate bad behavior, let me look them up automatically on these public threat sources like Virus Total or Meta Defender, and then if the answer is they don't think it's bad, I can just close the incident right? If they think it's bad, now I can ask the Palo Alto Firewall, are you already blocking this particular URL, and if the Palo Alto Firewall says "yeah I was already blocking it", again you can close the incident. Only the emails that were known to be bad, and your existing perimeter capabilities didn't stop, did you need to involve people. >> I have to ask you, it goes back to the conversation we had with Robert Gates last year, but I felt like Stuxnet was this milestone, where the, the game just got escalated big time. And it went from sort of harmless, sometimes not harmless, really up the level of risk. Because now others, you know the bad guys really dug into what they could do, and it became pretty substantial. I was asking Gates generally about some future warfare in cyber, and he, this is obviously before the whole Russian hacking, but certainly Snowden and Wikileaks and so fourth was around. And he said, "The United States has to be very careful about how it responds. We have maybe many more capabilities but if we show our hand, others are going to see those weapons, and have access to those weapons, cause it's digital." I wonder as a security expert if you could sort of comment on the state of security, the future of that threat generically, or generally. Where do you see that going? >> Well there's a couple of things that come to mind as you're talking. Uh, one is you're right, Stuxnet was an eye opener I think for a lot of people in the industry that that, that these kinds of vulnerabilities are being used for, you know nation state purposes rather than, you know just sort of, uh random bad behavior. So yeah I would go back to what I said earlier and say that, um, we have to take the noise, the mundane off the table. We have to automate that, you're absolutely right. These sort of nation state attackers, if you're at a Global 2000 organization, right your intellectual property is valuable, the data you have about your employees is valuable, right all this information is going to be sought by competitors, by nation states, you have to be able to focus on those kinds of attacks, which back to my kind of War Games analogy, like that's what these people wanted to do, they wanted to find the needle in the haystack, and instead they're focusing on something more basic. And so I think if we can up the game, that changes things. The second, and really interesting thing for me is this challenge around vulnerability, so you talked about Gates saying that he has to be careful sort of how much he tips his hand. I think it was recently disclosed that the NSA had a stockpile of vulnerabilities that they were not disclosing to weaponize themselves. And that's a really paradoxical question right? You know, do you share it so that everybody can be protected including your own people, right? Imagine Acrobat, you find some problem in Acrobat, like well do you use it to exploit the enemy, or do you use it to protect your own environment? >> It's quite a dilemma. >> You- it's a huge dilemma cause you're assuming either they have it or they don't have the same vulnerability and so I'm fascinated by how that whole plays out. Yeah, it's a little frightening. >> And you know, in the land of defense, you think okay United States, you know biggest defense, spends the most money, has the, you know the most, you know, amazing machines whatever. Um, but in cyber, you know you presume that's the case, but you don't really know, I think of high frequency trading, you know, it was a lit of Russian mathmeticians that actually developed that, so clearly other states have, you know smart people that can you know create, you know, dangerous threats. And it's, it's- >> You only have to live once to, that's kind of the defense game. You got to defend them all, you have to bat 1000 on the defense side, or you know, get it and react, from the other guys side, he can just pow pow pow pow pow, you just got to get through once. >> So this is why your strategy of response is such a winner. >> Well this is where it comes back to risk as well right? At the end of the day you're right, you know a determined adversary you know, sorry to break it to everybody at some point is going to be able to find some way to do some damages. The question is how do you quantify the various risks within your organization? How do you focus your energy from a technology perspective, from a people standpoint, on the things that have the most potential to do your organization harm, and then, you know there's just no way people can stop everything unless you, you know unplug. >> And then there's the business. Then there's the business part of it too right? Cause this is like insurance when do you stop buying more insurance, you know? You could always invest more at what point does the investment no longer justify the cost because there's no simple answer. >> Well this is where, uh you know, we talked to chief information security officers all the time who are struggling with the board of directors conversation. How do I actually have an emotional conversation that's not mired in data on how things are going? And today they often have to fall back on stats like you know we process 5 million alerts per day, or we have, you know x number of vulnerabilities. But with security operations what they can do is say things like well my mean time to identify, you know was 42 hours, and this quarter it's 14 hours, and so the dollars you gave me, here's the impact. You know I have 50 critical vulnerabilities last quarter, this quarter I have 70, but only on my mission critical system, so that indicates future need to fund or reprioritize, right? So suddenly now you've got data where you can actually have a meaningful conversation about where things are from a posture prospective. >> These are the assets that we've, you know quantified the value of, these are the ones that were prioritizing the protection on and here's why we came up with that priority, let's look at that and, you know agree. >> Exactly. You know large organizations, I was talking to the CISO of a fortune ten, 50 I guess and he was sharing that it takes 40 percent of their time in incident response is spent tracking down who owns the IP address. 40 percent. So imagine, you spent 40 percent of a, you know 25 hour response time investigating who owns the asset, and then you find out it's a lab system, or it's a spare. You just wasted 40 percent of your time. But if you can instead know, oh this is your finance reporting infrastructure, okay you super high priority, let's focus in on that. So this is where the business service mapping, the CMDB becomes such a differentiator, when it's in the hands of our customers. >> Super important topic Sean Convery, thanks very much for coming back in the cube and, uh great work. Love it. >> It's great to be here, thanks for having me. >> Alright keep it right there everybody we'll be right back with our next guest, this is the Cube, we're live from Servicenow Knowledge 17 in Orlando. We'll be right back.

>> Live from Las Vegas. It's the cute covering knowledge sixteen brought to you by service. Now carry your host, Dave Alon and Jeff Rick. >> Welcome back to knowledge. Sixteen. Everybody. This is the Cuba Cuba Silicon Angles flagship product. We go to the events we extract. The signal from the noise is their fourth year at knowledge. Sean Connery is here. He's the vice president and general manager of the Security Management Business Unit at service now. Sean, thanks for coming on the Cube. Sure, I hear a lot of talk about security this week. You guys air making forays into that space. It's a really important, you know, problem area. Every year I look back and new years and I look back. It's OK. We more secure than we were last year. I read our Cove yellows note, and I text them is they are. We're not more secure. What's going on? But it just seems like the bad guys just keep getting better and better. So state the problem that organizations have with security. And let's talk about how you can help. >> Sure, Well, I think you've got a new organizational challenge with the scope of security tools that organizations are using, so they're dealing with silence of information, even within security. So we had all hoped, you know, years ago in security industry that by now we'd have a single pane of glass where we could see every alert, every piece of information. And it would magically be contextualized with all sorts of advanced machine learning. And that just hasn't proved to be true and actual deployment. So organizations have yes, they have some aggregation, but they have other silence of information. And when things go bad, the investigative process takes a long time, and then the remediation process involves it, and that interaction between security nights he has been a challenging relationship to be candid. >> Well, you you underscore that keynote. It was yesterday, and you guys had a little tongue in cheek. You know, interaction between it and the security team. What's the right result regime for handling cyber security? In your view? In other words, well, how should be structured? Whose responsibility is it? What responsibilities do they have? Well, I think the >> most traditional organisational model that I've found makes sense is the chief information security officer and his or her entire organization reports up into either the CEO are sometimes general counsel. Sometimes an audit lied so that that piece really doesn't matter as much as the CSO and the CEO having a very strong relationship because what typically happens is the security team will have operational responsibility for all the investigations. When something goes bad, there's some some sort of incident. But then, when the change needs to be made, even something like a firewall is often run by teams, not by security team. So once you make that recommendation, you're actually interacting with it. And this is where having things like agreed upon fellas in advance so that it and security know what to expect from one another really helps, >> has a has a failure equals fire mentality of created somewhat of a lack of transparency over the years and your view >> say more about that. I'm not >> sure I understand the question. If I'm responsible for security and I fail like very well could get fired. Does that lead organizations to the less transparent about the threat, or even sandbag the threat or obvious Kate the threat? >> Sure, I mean, I haven't I haven't heard many stories directly about that from from certainly anybody that I've talked to directly. It feels to me more like they're just struggling to figure out a way to make things better, right? I think. You know, organizations genuinely are passionate around solving this problem, and they, frankly just struggled to figure out the right balance of investment in people. Investment in technology. And you know it. Let's keep in mind, right? We're not that far into this journey, right? Only fifteen years ago, we all thought perhaps the firewall was good enough, and we just needed something protecting us from the big, bad Internet. And of course, the evolution over the last last decade has just been more and more threats and more and more technology, which feels like a treadmill. We need to somehow get off. >> But to continue on that thought, so is recent is four. Five years ago I heard you know, cos stand up or individuals that company stand up and say We've never been hacked red. So do you agree? There's a recognition that it's not if it's when we've been hacked and that level of communication is becoming more training transparent at the board level? Is that fair promise? >> I do think that's fair. I think you know, the evolution that I've seen has been, you know, we are, we are impenetrable, right? There was a brief moment where some people thought they could actually achieve that. Then there was the second phase, which was Yeah, well, we get attacked from time to time, but we have a great response process. But now I think we're in the third phase, which I think is the most honest phase, which is large organizations are operating under an assumption of persistent compromise, so they're assuming somewhere in their environment they have already been compromised. And so that's what really makes the response piece such an increasing focus for chief information officers and chief information security. >> Yeah, and I think you guys nailed it because your value proposition is all about the response, Is it not? It >> is. It's about taking the teams you have and making them more efficient, making them more effective. And, you know, we've been in the security industry paying, you know, candidly, lip service to the notion of making teams more effective and the importance of individuals in the process. But always in the service of selling you some magical technology that's going Teo, make this problem supposedly go away, we finally realised, I think, as a community that we have to make these teams more efficient, we have to make them more effective. And our security operations product from service now is really focused on really operationalized and modernizing the security operation Center in the same way service now did to the knock years ago. >> Because you've got kind of a natural conflict, which what you want, where the security folks are kind of keeping an eye on the folks. So there's a little bit of separation of church and state at the same time, it's the execution vehicle to put up no better security and or take care of incidents and responses. So I would imagine that's kind of a delicate balance. And, as you said, helping those teams work better together while still kind of keeping an eye on each other. Interesting conflict. Well, >> I think if you if you look at the evolution of the security industry as a whole, it's been security company is selling security technology to security buyers, and that has been the sort of you know, to use Frank's term, the rinse and repeat model of security for some time, and that certainly has its place. We're going continue to evolve our detection and enforcement technology. But, you know, it's really a realization that the's security ninety teams need to be able to work together. And so having a common platform where the security team can have their own protected data storage their own protected processes but have a direct integration to it without having to have either side feel like they're dealing with the other organization as a almost like a black box where they don't have visibility into how the process is run once it's out of their hands. >> So I'm gonna test another premises we've got a security expert on. So I'd love to test my my, my my assumptions, uh, you buy the following that the difficulty in valuing data and I pop and assets makes it hard for companies to appropriately secure those those assets. >> Yeah, sure. So I think organizations have have people to protect. They have data to protect. They have assets and information to protect, and then they also have another component of this which is interesting is the compliance requirements, right? So oftentimes they'll actually be tension between the Risk and Compliance Organization and the security organization as they decide for example, which vulnerabilities they want to address, You know, some some compliance requirements might have a limit. Say, you know, you have only a thirty day grace period before a vulnerability needs to be fixed. So even if it's a low priority vulnerability, you might have, ah, that be hiring the queue than something more critical. That actually will impact the security of the organization >> because it's just a century kind of risk. Medicate security is risk mitigation, as opposed to security as a bigger, bigger, badder moat. With that, ask your alligator and trying to think of how much he spent. How do you allocate those resources when asked methodically, You're never going to get to one hundred percent. But how people kind of making those tradeoff decisions to figure how much is the right amount? Because it's never enough, I would imagine. But you know, how do you kind of balance? What is the right amount? How do you allocate? The resource is between the less critical, but maybe the regulatory compliance versus the more critical, which is, you know, as biggest, bigger implications on the business or it's a special class of data. Sure, life. I think >> the broader organization has struggled to understand that investment level because there's traditionally been kind of, ah, almost an insurance like mindset to buying security. It's like, Well, you know, we have to prepare for this but potential attack. But now back to my earlier point that people realize they're they're constantly in a state of compromise. It's a little bit easier to make the investment. But what has been lacking is the visibility into the posture of your organization as a whole. So you you have in the past fallen back on statistics like the number of alerts your system generates, which really says more about how well or poorly your system is tuned, as opposed to how effective your security practices are. So when you look to invest now, I think with the security operations capability, you can start to see you know, what was my incident count last quarter. What is it this quarter? How many of them are false positives? You know, show me as the chief information officer, the critical business services that I have tying into the data, as we talked about earlier, and then show me the vulnerabilities attached to those most critical services I guarantee you get in front of a board and you show, you know, these are the vulnerabilities that I have against this infrastructure, and I do not have the resources to fix them. That's a very short conversation >> because you say they start writing checks, Um, brings me to my next question, which is? The CEO comes to Mrs Shawn. I got a present to the board. I gotta develop a communications plan for the board. What are the two or three most important things I should have on my checklist in that communications plan to build that communications plan? Well, I >> think the first peace, which again I think is the missing piece we just talked about is some sort of relationship between the investments you're making and the risk to the specific services that are most important to the organization. Right. So if you can provide some metrics and say OK, you know, this is my exposure on these services that the entire business depends on that feels like the start to a fantastic conversation with board. Where is coming in and saying, you know, last month we had a thousand alerts or we had, you know, fifty thousand vulnerabilities like that's that's not meaningful to a board of directors, so you have to be able to get more specific on what matters most. And then I think following off of that would be able to talk about the staff investments you're making and the effectiveness of that investment. So you can actually say All right, we have, ah, security operations team of ten or fifteen would have you. And here's how they break down in terms of what they're doing. And here's how AH, headcount put into that system affects the following results on the other end in terms of ah, shorter time to respond to shorter time to identify. >> Do you feel as though organizations are, well, first of all should? And are they treating security as a component of their business continuity plans? Should they and do they it feels like >> they are. It feels like, you know, when you talk about robustness and availability, and a lot of those terms carry over very easily between sort of the d r world, the security world, business continuity as a whole. So I think that's changed. I think I think we're on the right great course there. >> In the financial analyst meeting, you shared some data and we've talked enough. Came about some of the data we've seen a couple hundred days. When an organization gets infiltrated toe actually detect that intrusion. Is that a metric? Now, who knows? You know what the real number is, but on average, but it's a long time. Is that a metric that we can track? It sounds like we can and conservative now help compress that time. Two. Detection we can. And the >> way we do that is by taking that original problem statement I articulated at the beginning around these silence of information and connecting them not only to one another, but to it and the broader enterprise. So suddenly, what is a manual process to track down the business owners? Something very simple. Tell me, who owns this particular I P address that's being attacked right now and tell me this service that that I p address is supporting, you know, is this my you know, summer company picnic planning website, or is this my financial reporting infrastructure? Those two would result in obviously very different responses. >> So it's early days you guys just announced I think Tessa, right? We didn't know. And so how's it going? What's the Inter spend? Obviously big show for you, I said. We've been talking about security all week. We think is just one of most exciting things that we've seen from service Now on DH. There's a lot of them. Put that right at the top. What's the feedback been? What's the momentum like? I think the >> momentum is strong. We announced for customers and queue for another eleven. And Kyu Wan So getting good growth, lot of global two thousand interest. So it tends to be the larger end of commercial on larger enterprise that has the most to gain from from a solution like this and, you know, just on a more personal level. And I've been doing security for a long time long enough that I don't consider myself an expert because I realized just how much we've struggled as an organization ondas a community. But being able to see a shift towards people towards process towards being able to make a team more effective given the information they need, given the relationships with that can allow them to be more effective in their response, you know this feels this feels like a new category of security technology and one that really leverages service now is expertise in workflow, orchestration, automation, single system of engagement And these air not, ah, security problems, these air enterprise problems. So we're taking that expertise and applying it to the security buyer. >> Excellent. Sean Connery. Thanks so much for coming in the Cube. And And good luck with solving this hard problem. Thank you. Alright, Keep right there, buddy. But back with our next guest right after this. This is a cube, er live from knowledge sixteen in Vegas, right back.