ServiceNow has just announced that it is extending its orchestration, automation and workflow capabilities to the enterprise security department. It’s aim? Improving how companies respond to breaches and threats by the stripping out of manual and laborious processes, via the use of the ServiceNow platform.
As I’ve said before, ServiceNow could just be the platform to beat in the enterprise cloud market, as it has the ability to easily extend itself into all areas of the enterprise, bringing once disparate and siloed functions closer together.
And that’s exactly what it is hoping to do with its foray into the security market. ServiceNow wants to get security teams using the same platform as its IT buyers, bringing the two functions closer together, reducing the time it takes to respond to threats.
We have seen time and time again large companies report that they’ve had a major incident and then take weeks to both fix it and let customers know that their data is safe (or not, as the case may be). The brand damage and loss to earnings as a result of this can be huge.
Research released by the Enterprise Strategy Group this week found that the number one incident response challenge amongst security experts in the enterprise, is coordinating between IT and security teams.
Nine out of 10 respondents said that their incident response effectiveness and efficiency is limited by the burden of manual processes. And nearly 75% of cybersecurity professionals said that incident response tends to be based upon informal processes at their organisations.
I got to speak to ServiceNow’s GM of security, Sean Convery, about the company’s plans to branch into the security market. I wanted to get an idea of why he thought ServiceNow was suited to security teams, what challenges he saw customers having that ServiceNow could solve and what difficulties he thought ServiceNow would face in succeeding in this area.
Convery explained first that the way that the security market has evolved, and the way that enterprises have shifted their buying habits, has meant that there is a need for products that tie the complex internal landscapes together and reduce the amount of time security teams spend coordinating their responses to incidents. He said:
[Enterprises] have a lot of security technology, they’re investing in different aspects. It started out with firewalls and other technology designed to enforce a policy. So you have behaviour that you know to be bad, so you’re going to make a decision to prevent it from occurring.
Then we reached a point where we realised that there are a lot of things that we don’t know necessarily for sure are bad, but we suspect they may be bad. And that became the detection area of technology and of security technology. Intrusion detection. There are a whole host of companies using advanced analytics and machine learning to try and learn about potentially bad behaviour.
Then we realised that we had so many vendors deployed in an organisation that there was no way to get a sense of what is going on, so there are a whole host of other companies that are security and information event management vendors. Think of them as the point of aggregation of all of this enforcement and detection technology.
That’s the state of many customer environments. They have these big investments that they’ve made. But if you notice, none of what I’ve talked about actually helps an organisation once they’ve decided a breach has occurred and they need to respond to it. What do you do once you decide something is bad?
Convery went on to explain that many organisations have a policy in place so that they know what to do when a data loss occurs. For example, they have to check if any identifiable information was lost, they need to talk to human resources, audit and legal teams get involved and the IT team needs to determine the machines that were affected and get them offline.
He said that today all of this is being done in a very “manual and uncoordinated way”. Convery added:
And so when our customers came to us, they said look, you are the best in class experts in orchestration, at workflow, at automation. Why aren’t you applying your expertise to solving this specific security challenge we have? That’s when we started looking at how we can help organisations to respond to the eventuality.
Bridging the gap
It’s an obvious use case for ServiceNow. Its software and platform is designed to pull together and refine processes that would previously have required plenty of manual intervention. When you’re dealing with something like a data breach, it doesn’t make sense for security and IT teams to expose themselves to the errors that manual processes inevitably introduce.
We do feel like this isn’t a security problem, this is a workflow, orchestration, automation problem. An area that we are the experts at. Where we have got the most mature offering, the best capabilities. That puts us at a tremendous advantage. Also, since we are used by 3,000 organisations, many of the potential buyers of this solution are already using ServiceNow for IT.
The collaboration between IT and security is a significant source of friction. Security teams will often need to make changes to IT infrastructure in a response to an attack, but the IT teams like to feel like they are autonomous and they control their own destiny. And then the security team wants to have their own technology. The two have had a fraught relationship over the years.
Now I have the ability to have these teams collaborate in their own applications demands, but leveraging service level agreements, orchestration, and all the things that will make the teams collaborate much better. We like our chances.
Equally, Convery added, given the amount of resources enterprises put into getting the best security experts available, it doesn’t make sense to have them sending emails and making phone calls to try and coordinate the right response. He said:
These security professionals are highly skilled, very well paid, very difficult to find and recruit into an organisation, so you want to make sure they’re spending as much of their time doing high value work for the organisation. Rather than chasing down emails and business owners and the right IT contact to help us with this data centre issue.
We feel like there is a productivity gain and a cost saving gain from deploying your security team with this underlying infrastructure of orchestration and automation and workflow.
It’s a clever, strategic move from ServiceNow. As we have seen with its push into HR, there is a clear use case for security too.
Will it be able to convince the security industry it has a role to play? I would guess that it’s going to start with its customer base, prove it’s success there and then expand from there.