>> Announcer: Live from Las Vegas, it's theCUBE. Covering ServiceNow Knowledge 2018. Brought to you by ServiceNow. >> Welcome back to Las Vegas, everybody. This is theCUBE, the leader in live tech coverage and we're here at Knowledge18. This is our sixth CUBE at ServiceNow Knowledge. Jeff Frick is my co-host. Jeff when we started covering ServiceNow Knowledge I think it was under 4,000 people. >> The Aria. >> At The Aria, it was a very hip conference, but now we're talking about 18,000 people at K18. How ironic. Sean Convrey is here. He's the Vice President and General Manager of the ServiceNow Security Business Unit. Welcome back to theCUBE, it's good to see you again, Sean. >> It's great to be back. >> So you know I'm a huge fan of your security initiative because you focused what, in our opinion, is really the real problem which is response. You're going to get hacked, you're going to get penetrated. It takes almost a year to find out when somebody has infiltrated your organization, they're exfiltrating data. You guys are focused on that problem. So, really have a lot of hope for this business in terms of addressing some of those challenges. But, give us the update on the ServiceNow Security Business. >> Sure yeah, so the business is continuing to grow nicely. I think we released at the end of 2017 on our earnings report that security and the other emerging businesses met their aggressive sales targets from 2017. So, we're seeing, you know we're into the hundreds of customers stage now. We've got very mature customers that are deployed in production. I think almost 40% of our customer base is Global 2000 so that's one of the benefits of being on the ServiceNow platform is, we aren't perceived as a 1.0 or a 2.0, even though we've only been around for two years, you know people are thinking of us as an application on top of an already very stable platform. >> One of the things we talk about a lot, you and I have talked about is, what's the right regime for security? All to often it's the sec-ops problem, or it's an I.T. problem. You know, we preach that it's a team sport, it's everybody's problem, but when you extend into an organization from whatever ITSM, or whatever it is, to whom to you sell? Who are your constituents? Are they figuring out that right regime? Or is it really still the sec-ops team? >> Yeah, so there's two major use cases in the security operations product. One is focused on security incident response, and that we're definitely selling primarily to the SOC, to the security operations center. But, we have another growing use case on vulnerability response, which is more the proactive side where we're addressing, really just security good hygiene. How do you reduce the attack surface area in your environment by having less vulnerable software in your environment, and that has a very tight tie to I.T. Actually, they both have very tight ties to I.T. Because in almost all cases, I.T. and I.T. operations are the actual execution arm of whatever changes you need to make to your infrastructure in response to something bad happening. >> Right, it's funny because we were at RSA this year, we've gone for a couple years. 40,000 people, that's a crazy big conference, but a couple of really interesting things that came out this year. One is that, you're going to get penetrated, right, so just a whole change of attitude in terms of not necessarily assuming you won't be, but how are you going to react when you are? How are you going to find out? And the other thing that comes up time and time again when you hear about breaches is this hygiene issue. It's, somebody forgot to hit a switch, forgot to do a correct setting, forgot to do a patch, all these really kind of fundamental things that you need to do at a baseline to at least give you a chance to be able to put up a defense against these people. >> We actually just did a study with Ponemon Institute of nearly 3,000 security professionals focused in on this hygiene problem, on vulnerability response, and some of the stats are just staggering. 70% of respondents said security and I.T. don't have the same visibility into applications and systems. 55% said they spend more time coordinating a response among teams manually than they actually do in the act of patching itself. People are losing 12 days per update in manual coordination, because think about it, you've got not just I.T. and security, but you've got GRC team, you've got the business owner, you've got the application owner, it's not just two folks sitting down at the table, it's a huge team looking at a multi-hundred thousand long spreadsheet of vulnerabilities that they're trying to respond to. >> It's funny, we talk often, it's an often quoted stat, how many days have you been penetrated before you figure it out, but what's less talked about is what you just talked about, is once you find out, then what's the delay where you can start taking proactive action and start taking care of all of these things. That's just as complicated, if not more. >> That's what the study actually bore out. So, one of the things we did was, we broke the data up into those that had been breached and those that had not been breached, and it was about 50/50. But, the biggest difference between the ones that had had a breach in the last two years and the ones that didn't, is the ones that had not been breached self-reported they're vulnerability response program as 40% more effective than those that were breached. So, this hygiene thing this is just fundamental. Actually, my personal theory is, it's not as exciting and undertaking. It's much more fun to talk about how Thor'd the bad guy that was knocking at your front door, trying to find a way in. The sort of proactive, you know execution of a strategy to reduce your attack surface area is much less sexy. >> So, we've always talked about that magic number, or scary number, of the number of days that it takes a company to realize they've been penetrated. Whatever, it ranges from 225, I've seen them higher than 300 and it's a couple years in now, and I'm curious as to what kind of data you have within your customer base. Have you been able to compress that time, and as Jeff points out, even more importantly, have you been able to compress the response time? >> So there's two stats I'll give you. One is, for many organizations they had zero reporting within their own organization. So if they were trying to report out, they were in the land of spreadsheets and emails, so they couldn't tell you how big an impact it had. We actually commissioned a study with Forrester. They did a total economic impact, a TEI study, with our sec-ops customers and found out that the average reduction in their incident response time was 45% improvement, or 45% reduction in their response time, which is just dramatic. That's very meaningful to an organization, especially when there's a prediction of an almost two million cyber-security job shortfall in 2019. So there simply aren't the people to solve this problem, even if you could hire your way out of this. >> So what you would expect is if you could reduce that response time, obviously you're freeing up resource, and then hopefully you could create some kind of flywheel effect, in terms of improving the situation. It's early, but what have you seen there? >> That's exactly what we're seeing. So we're seeing people take the things that are painful and frequent and trying to automate those tasks so that they don't occur as often and require people's time. The analogy that I always use is, if you've watched a medical drama, you always see the doctor racing down the hallway, holding up an X-ray to the fluorescent lights and making a call, telling the nurse five milliliters of this or 10 milliliters of that. >> Stat, stat, stat. >> It's always stat. >> Whatever that means. >> They're saving the day right? They're saving the day. That's what a security person wants to feel like. They want to feel like they're making that insightful call, in the moment, and saving the day, but instead, they're the doctor, they're the nurse, they're the orderly, they're the radiologist, they're the administrative people. They have to play all those roles, and what security automation is really about is, let's take those mundane tasks that you don't like anyway, and get rid of them so you can focus on what truly matters. >> It's such an important piece because like I said, RSA, there's 40,000 people, ton of, ton of vendors, and the CISO cannot buy all those solutions, right? And for you guys, to find a place to fit where you can have nice ROI because you just can't buy it all and to me it's kind of like insurance. At some point you just can't buy more insurance, you can just buy and replace whatever it is that you're insuring, so it's a real interesting kind of dilemma, but you have to be secure. You don't want to be in the Wall Street Journal next week. >> Right. >> Tough challenge. >> It's a very tough challenge and the notion that you can find a product to buy for every problem you have is something that the security community, if you go to RSA, it feels that way, right? Like, "Oh I just need to buy another thing." But, organizations have on average 80 security tools already. So, the challenge is how do you actually reframe and think about prioritization in a different way? So we're actually seeing our customers start to take advantage of the governance risk and compliance capability, that are also part of ServiceNow to use risk as a North Star for their security investments rather than just saying, "Oh this is the latest attack so I need to go buy a thing "that stops that attack." Saying instead, what are my most valuable assets? What is the financial impact of a breach to those services? How do I invest accordingly? >> I was watching a CUBE interview, I think it was from KubeCon, John Furry was doing an interview, and the gentleman he was interviewing said, "The problem with security is for years, organizations "thought they could just buy some piece of technology, "install it, and solve the problem." Couldn't be further from the truth, right? So, describe what you're seeing as to those who are successful and best practice as to solving the problem. >> Sure, well that thinking you can buy your way out of the problem goes all the way back to the early days of firewalls. I mean, I remember earlier in my career trying to convince people that a firewall by itself wasn't enough. So we're seeing in organizations that are adopting best practices around response, is they're taking a much more structured approach to how they respond to the most common attacks. Things like, suspected phishing email, right? Processing a phishing email that's reported by an employee, by a user, takes anywhere from 15 to 20 minutes to check manually to see if it really is phishing or not. You know, with ServiceNow Security Operations we can automate that down to seconds and allow that time for an analyst to go back to focusing on maybe a more advanced attack that does require more human ingenuity to be applied. >> Right, the other thing that keeps coming up time and time again within the ServiceNow application and the platform, is you like having lots of different data sources to pull from. You like being kind of that automated overflow and workflow to leverage those investments for the boxes that they do have in the systems and all those things. You want to use them, but how do you get the most value out of those investments as well? >> Exactly, we're seeing that most organizations don't feel that they're getting the value out of the assets that they've already invested in as well. So, to steal one of our CEO's lines, he talks about this idea of one plus one plus one equals magic. The idea that if you can bring together the right pieces of information you can create this transformational outcome and I think with security technology, if we can bring the data and the insights together on a common platform that allows you to investigate in a more automated way, to draw on the insights that you need from the various systems, and then to respond in the right capacity at the right time, it's a completely different way of solving this problem that I think we are just beginning to explore. >> And a whole nother place to apply A.I. And machine learning down the road as well. So, you can start automating the responses at that tier, and a whole nother level of automation to get the crap that I don't need to pay attention to off my screen, so that I can focus on the stuff that's most important. >> Oh absolutely, I think the headroom in the response category of technology, we're just beginning to see what's going to be possible as we continue to go down this path. >> Can you talk about the ecosystem a little bit? Obviously it's critical. Just to be clear, ServiceNow it not trying to replace Palo Alto Networks, you know, or other security tools. You partner with those guys much in the same way as you're not trying to replace Workday and SAP and HR. Talk about that a little bit, the partner ecosystem, how that's growing and what role they play, where they leave off, and where you pick up. >> Absolutely. So, as you said, we're not in the business of building prevention technology, detection technology, we are all about taking the investments you've already made and bringing them together. So, we consider ourselves a neutral player in this market. We integrate with all sorts of different security technologies because again, the goal is, let's take all these insights that are already in the various pieces of infrastructure. You know, we had one of our customers onstage yesterday during our keynote describing swivel chair. This notion of, I'm swiveling from console to console to console and I'm burning time. If you can give me one place where I can bring that data together, it's really valuable. So, we're quite different than many other ServiceNow products in that, it's often not a human being that initiates the request. You know, a human says, "hey my laptop needs help," right? But, in security it's a third party tool that says, "Hey, go take a look at service X, we're seeing "some weird behavior there." >> So, staying on the ecosystem for a minute. You know, big space; security, crowded space. You were just at RSA. >> It was crazy. >> Crazy, tons of startups. When I talk to startups, in fact I was talking to one the other day, it's a phishing startup, guys out of the NSA doing some really interesting stuff. They got to place bets, small companies, and I'm like, "Have you seen what ServiceNow is doing? "It's kind of an interesting play. "You might be able to participate in "that ecosystem someway, somehow." Is it reasonable to think that startups actually can participate, how can they participate? Can they bring their innovation to you? Or are you really looking for established players with an installed base that you can draft off of? >> Sure, we're actually doing both right now. So, you can think about it, you know, being a new player in the security community, credibility is something we are always seeking to grow and develop over time. So, while we really like to integrate with the large, established security vendors that our customers expect us to integrate with, we also love talking to the innovative startups and integrating with them as well. So, we have a whole technology partner program that allows people to tie into the ecosystem. We have a whole business development team at my organization where we work actively with these companies to help them take best advantage of what integrating with ServiceNow can do. >> I think it's key. If you think about the innovation sandwich we often talk about, for years this industry has marched to the cadence of Moore's Law. It was doubling microprocessor speeds every two years that drove innovation. That was nice, that got us a long way, but seems like innovation today is a combination of data, applying machine intelligence, and cloud, cloud economics. And part of cloud economics you get, scale economies, zero marginal costs at volume, but it's also the ability to attract startups. We see that as critical for innovation. Do you agree? >> Yeah, absolutely. I think that the innovation we are seeing in the security world overall, I think is going to continue to grow, as you saw at RSA, there is always another several hundred vendors it seems like, that are out there. And I think we have, as an industry, toyed with the idea of a suite or consolidation. It's always been, next year is going to be this massive consolidation and it's never seemed to really happen and what I'm thinking is this notion of something like what security operations can do from ServiceNow, where you're sort of making a suite by building an abstractional error that integrates all the technology. So you get the benefits of a suite, while still being able to go best of breed with the individual technologies that you want. >> Yeah, consolidation of technologies and becoming safer every year. Those are two things that haven't happened. Hopefully Sean's ServiceNow can help us with that problem. Put a bow on Knowledge18. What's the takeaway? >> The takeaway for us is that security automation and security orchestration is now here, right? Two years ago, the conversation was "What is ServiceNow doing in security?" Now my conversations with customers are, "I understand, I'm looking at this market overall. "I see the value that it can provide to me." We've got customers on stage, we've got customers leading sessions that are talking about their own transformational experience. So I think the technology is here. Gardner has labeled this category: security orchestration, automation, and response. Which is big for the industry overall. So I think it's here now, and I think we've got a great capability tying into a common platform and of course tightly tying to I.T., where many of our 4,000 customers already are using ServiceNow. >> Who's your favorite superhero? >> Wolverine, no doubt. >> John: Alright, you know why I'm asking. (laughing) >> I don't know why you're asking. >> Oh come on, you're the one that told me that all security guys, when they're little kids, they dreamed about saving the world, so you've got to have a favorite superhero. >> Well, Wolverine's a pretty dark guy, I don't know that that works very well. >> Sells more movies. (laughing) Sean, thanks very much for coming on theCUBE. >> Thanks so much. >> Alright, keep it right there everybody. We'll be back with our next guest right after this short break. You're watching theCUBE live from ServiceNow Knowledge18. (upbeat music)