ServiceNow, Inc. (NOW) Earnings Call Transcript & Summary

Thank you for joining. Before we get started, we have a few housekeeping tips that will help make your experience more enjoyable. First, today's session is being recorded and you are currently in a listen-only mode. [Operator Instructions] Finally thanks again for joining us. We hope you enjoy today's webinar. Now let's get started.

Hi, everyone. Hope everybody is doing well, and thank you for joining our DLP Incident Response webinar. We're going to learn about how we increase visibility and accelerate response to internal threats with ServiceNow's DLP Incident Response application. First off, I do have to show the safe harbor notice. We may talk about some things that are on our road map, that are forward-looking, and so we do need to present this just as kind of a check the block. The next thing I'd like to do is introduce myself and our speakers. Pete, would you like to just come off mute for a couple of minutes to kind of introduce yourself?

Sure thing. Tim. Hi, everybody. I hope you're having a wonderful day. My name is Peter Kartje. I am 1 of the senior product managers for the SecOps group at ServiceNow with Tim.

All right. Thanks, Pete. And I'm Tim Boswell, I work in product management with Pete. I just recently joined PM a few months ago. My background really is working in the security operations organization to include ServiceNow's security operations team within ServiceNow charged with both protecting ServiceNow and ServiceNow customers. And so I like to fall back on my experience using these applications in the security operations center. The first thing we'd like to do before we get into the presentation, we just kind of want to understand our audience. We want to understand who you are. So maybe we can try to tailor the presentation as much as possible. So we do have this pull up and it has some questions, we just want to understand, how are you responding to DLP alerts today? And what I'm referring to are those alerts that you're receiving from those DLP tools? Do you have a fully automated workflow? Do you have a semi-automated workflow? Are things completely manual and you're fully overwhelmed or you just don't respond to any alerts at all? So if you could just take a few seconds kind of read through that and respond that way, we can better understand our audience today, and maybe we can do our best to try and tailor our conversation based on your experiences. So we've got a few people responding. Just give you a little bit more to make sure everybody gets an opportunity to get in there and provide that. Okay. So let's take a look. So -- okay, it looks like most people are using a workflow that has a combination of manual process and automated process and everyone else, they're manual and they're either handling it, they're keeping their head above water or they're just completely overwhelmed. So hopefully, we can provide some insight into how to better automate things, make things easier, make it so you're not overwhelmed and just in general, deal with those DLP alerts in a more efficient and less stressful manner. So with that, real quick, the agenda. What we're going to do is we're going to talk about the DLP IR challenges, that's kind of our problem statement. Hey, here are the problems that we're solving. We're going to talk about the solution a little bit. Why it makes sense to use a unified DLP solution, the integrations that we support, so that way we can provide that unified solution. Why does it make sense to use the ServiceNow application when handling DLP, the analyst capabilities, our integration with Microsoft, which is our most recent integration that was just released last month, we want to talk about that. And then we're going to do some QA. Something I left out though is we are going to do some demo. And so we're going to try to keep the presentation as short as possible, because I know people prefer to see demo. They like to see the application in action. They like to see what it what it would look like for the analyst or for that [ stock ] manager or whoever is using that. So we're going to try and talk as little as possible during the presentation, because Pete's got a great demo that he has teed up for us. We're going to try and get to that because that's the real main course, if you will. So with that, let's jump on into it. Pete, do you want to take this first slide?

Yes, sure. So I assume you're all here today because you've got some challenges with DLP. Traditionally, it's a bit of a swivel chair scenario and also a lot of spreadsheet work, which is not great. It's going to leave you moving slow and DLP is something that you got to be on top of. You don't want to wait too long. So typical issues that show up with DLP. You've got a limited team, only so many DLP analysts to go around and the events never stop coming. So automation is going to help with that and give you more time to react and also to respond accordingly. There's multiple DLP tools. We'll talk about that in a couple of slides that are spread between multiple vendors. And ServiceNow will be able to integrate with several of those vendors. So if you can bring it all into that single pane of glass, where you have quick access and you're able to find things quickly and respond quickly, our analyst will be able to do a lot more for you. As we mentioned before, manual collaboration with employees such as email, spreadsheets and escalations. Again, that's the [ swivel chairing ] as well as responding via e-mail and tracking all that can get tracked difficult. ServiceNow can help you with that as well. Storing incident reports and employee responses, we do that within DLP as well. We essentially have ascertainments and e-mail [indiscernible] to go out to DLP users that have either committed a tiny mistake or a large mistake. And you'll be able to automate that process as well as send out automated scripts to make sure your end users know that they need to take action. And then lastly, we're talking about repeat offenders. And sometimes, this is not always malicious, right? Obviously, there's times where things leave, and it's a much different scenario than your typical scenario, which is somebody accidentally shared something with someone else outside of your org that shouldn't have been shared. And you want to be able to catch that. You want to be able to make sure it was either part of a known business process or an accident or they've deleted it because they realized they made a mistake. But you can also monitor how often this happens with your employees and your users in your organization. And with those multiple users, you can then go, okay, who needs more attention, who needs some training to understand what our rules are for our documents and our data inside of our organization to make sure it doesn't wait. Tim, over to you.

Sorry, I forgot to click the unmute. I'll try and work on that the rest of the time. So thanks. I'm going to take this next slide. What I want to talk about here is that whether you're doing security or IT or digital technology or digital transformation or customer support or field services, whatever. However you're using ServiceNow, ServiceNow is a system of record, and it's a system of action. So by doing DLP on ServiceNow, we have the ability to integrate with multiple DLP tools and bring them all into 1 place. So before I worked in security at ServiceNow, I worked at a university where I was doing security operations there. And we had, in addition to the regular university, we had a school of medicine, we had a hospital. We had a system of medical clinics. We had a children's hospital. We also had law school. We had all these different things. And so because of that, we had almost a half dozen different DLP tools to cover everything. And all that swivel chair to all those different DLP tools, it was just killing us in the incident response team and so what ServiceNow is doing here is it's eliminating that swivel chair to multiple different tools. We're able to achieve that single pane of glass or get as close to as possible to a single pane of glass. And the other great thing about having multiple integrations is it kept the auditors happy because they required 1 set of feedback. And I have talked to some customers who said that this solution was great, because when they were migrating from 1 DLP solution to another DLP solution, they were able to maintain that 1 set of feedback for their auditors and keep their auditors happy. So because we're on the ServiceNow platform, we can work flow the remediation process with automation for things like task assignment, notifications, escalations, reporting and dashboarding, and so this allows us to handle things more efficiently, reduce effort on the security team and provide some meaningful metrics and data that are visualized great within our performance analytics applications on ServiceNow. So ServiceNow is really good at using templates. And through those templates, that's another way we can help automate the work that the security awareness or security behavior team needs to do, because they often get overloaded same as the incident response team. And it's great for executives because we're able to automate those reports that go to the executives or we can grant dashboard access to the executives, so they can go in and just view the dashboards themselves. And that may sound kind of scary to some people, but believe me, when we did that, that made our lives a lot easier because then the executives weren't asking us a whole lot of questions and they felt more confident, because they have that information available to themselves. So Pete, I'm going to take another a little break and hand it over to you for the next slide.

Sounds great. Integrations, right? Tim was just talking about who we can work with at ServiceNow to make your life easier. We've had existing integrations with Symantec endpoint, network and e-mail, proof points endpoint product as well and NetScope's cloud product. Our newest integration that we're working with is Microsoft purview, which we're going to talk about quite a bit in the demo. Quite exciting because this allows to merge things like endpoint, cloud, OneDrive, SharePoint, Exchange Online, Teams, all that, it gets pulled in to ServiceNow and your DLP analysts can use that. It will be really interesting later on, we'll show you that it's not retained on ServiceNow. So if you're worried about your data security, and how Microsoft purview works, we'll be talking about that a little bit later as well, and it works quite well to make sure the data stays where it needs to, not floating around.

Right. Okay. So we've been talking for a while. I'm going to go through a few other things. And then Pete is going to present just a couple more slides, and we'll get to that demo that I know everybody is waiting for, but just a couple of other points I want to make. So the employee response, what we're talking about here, and I want to reiterate this, and I want to emphasize this, is we're not talking about, okay, we're going to grant the employees access to our DLP tools, and they can go in and handle the alerts themselves. What we're talking about is certain low risk or common false positive alerts that are triggered by employees doing things and that are not likely to be insider threat things. We're talking about like maybe a developer is testing an integration with the payment card system or some other tool that they're building, and it's creating a lot of false positives. And so these low-risk alert or alerts that it doesn't make sense for the security team to handle. We're going to offload those and delegate those out to the employee that trigger the alert or the manager of the employee that triggered the alert. So we're going to offload a lot of that work that the security team shouldn't be doing. The next thing is we're going to use the application to do that employee coaching. So we're also going to help that security awareness team or that security behavior team use the automation within ServiceNow or use the templates within ServiceNow to do that coaching and do that awareness. So that way, then we don't have to force employees to go sit in on a webinar and take time out of their day, which employees love to do. They love sitting in those security awareness webinars, they don't. And then -- but then also, it's easier to track those repeat offenses, especially if you're using multiple tools, because then now you can really correlate, okay, who are the employees who are causing the most amount of false positives, maybe we need to go talk to them and figure out what they're working on that's causing that or maybe we do have an insider threat situation, maybe somebody is trying to do something. Now we can really understand the behavior and recognize, okay, even though these are low-risk alerts that normally don't lead to an insider threat situation, maybe this 1 actually is an insider threat. And then we can use automation to escalate to management, whether it's an insider threat or whether it's a -- we need to get HR or legal involved or whether it's just an employee doing bad behavior and we want to escalate to the manager or maybe the employee, if we're truly making them go and mark the justification behind the DLP alert and justification why they're trying to do these things. Maybe if they're not responding to that, we can use ServiceNow to automate that manager escalation. Saving time, not asking the security team to do that, but then it's easy to track that within ServiceNow. But then like Pete mentioned, we are still able to restrict data. So just because somebody has access to ServiceNow does not necessarily mean they have access to the DLP application. Just because they're going in and responding to the alerts they cause doesn't mean that they can access everything else in the application. We're able to control that access within the application. We're also able to control who can access the forms. But then within a form, you can -- we can control who can access certain fields within a form. So we may grant view access to a particular form, where we may say, okay, we only want them to view these particular fields in the form, the rest of it we don't want them to view. So there's some great granular access controls that we have there. So Pete, I'm going to hand it over to you, so that way, you can do the rest of the talking and then move into your demo, which I know everybody is waiting for.

Awesome. Thanks, Tim. Appreciate it. So as Tim mentioned, we really have rich DLP capabilities here. the ability to assign things to either end users, managers, any people involved in the workflow, you can control that inside ServiceNow. You can also change the state of an incident, but you can also set custom states. That's something that's not in the box, you could change and said that applies to your organization. So for example, here we talked about having legal review. We also have the ability to use custom fields to store and specific incident data. You'll see that specifically when we show the Microsoft integration, you were able to show match data, which is really useful. And then as we've mentioned before, assessments, right? We really want to be able to empower your DLP analysts to achieve velocity with your end users, be able to have your end users reply to these assessments with granular control, as Tim mentioned before, to basically say, why they acted the way they did and then either go, okay, that's acceptable or it's not and we need to retrain you or worse comes to worst, you might have caught something more sinister. Then also, you can create child incidents, right? You can basically create tasks off a test that would be passed down the line and be able to collect responses from multiple parties as well. So as you can see, this is a little bit of an older screenshot of our DLP workspace. You'll see the new one, which looks much shiner and new, but there's a thorough amount of data here, like where it's located, when it was open, when it was transferred and so forth. All that data is provided to you. And then obviously, I keep harping on Microsoft, but this is probably our most exciting new integration. But obviously because of Purview and the ability that Purview provides with match data, right? You can see very granular level of data with regards to what Purview detected. It will tell you what it detected because it has its own set of rules and then communicate that to the analyst and what those breaches or those data losses were. So in our demo here, you'll see, I believe we use credit card numbers or we discuss that or things like PII, anything like that can be done. And then it's also not stored locally, so -- which is really important for how you're controlling your data. Either you can store it locally, the analysts can download a file and retain it and look at it on their own desktop or conversely, you can move that into a cloud-native system like a [indiscernible] bucket or [indiscernible] bucket, anything like that and store those via XML on that SharePoint site or so forth. So your analysts can access it, but it is not retained locally. So with that, I am going to jump into the demo, and it's going to run for about 15 minutes or so. So here we go. Let's jump into DLP, and show you what's going on. I'm going to start with essentially the configuration and then a little bit later, we'll show you the end user experience, but I want to show you sort of the steps how an administrator would set this all up. So I'm going to start out today with the assignment rules. These rules are essentially how the OP assignments are being sent to end users. And as you can see, this is all basically set up by common DLP tool on paradigms such as severity and scan source and other options that you'd like to set, be it application or other attachments, anything there is adjustable. So in this case, are default setting us to look for low and medium settings that are -- or severities that are coming from SharePoint. When it happens, we can automate this and either send it to the end user or other options like a manager or user group. And we can also identify the end user here by various headings in this case setting. So who has modified, who owns it, who sent it and also the destination. This is all customizable and you can adjust this any way you want. Next, I want to show you what e-mail templates we use in DLP to inform end users of their issues. So if you give me a moment here, I'm going to switch over to e-mail templates. And I'm going to show you essentially the default end-user template here that we use for digest. So any list of items that end user would have, they would get this digest regularly. So here, we can say, we've got a digest sent to an end user. We can also set conditions here just like we did for the assignment rules, and we can define things like target users via all recipients or by group or matching the criteria above that we set. Again, standard use for DLP, basically data loss prevention header. So same thing severity, SharePoint by source or other settings here as well. We also use an e-mail template here inside this setting to inform the end user, right? So in this case, we're using variables to show the end user. So this would be automated, tied to the incident, and then they would receive this e-mail. You can flexibly set these variables to various things such as who it was updated by, target user, but also other things such as high severity incidents and other variables. In this case, you could probably set a variable for this regards to how many incidents they have for their digest, but here, we hard-coded it just to make it a little simpler on this end. Tim, do you have anything to add here?

Yes. I'll tell you what's great about these email templates is we're using the same automation functionality that's in the ServiceNow platform. So the e-mails that are sent can be automatically personalized to the recipient and you don't need to learn a whole new process or a whole new tool. So if you're already using this functionality or elsewhere within ServiceNow, it's the same functionality here.

Yes. It's super powerful. I'd like to show incident response options next as well. So I'm going to hop over here real quick. So here, we have a default on the box setting for DLP. And here, what we would do is, with regards to the incident response and when it's said, same thing, conditions can be set as you feel, and we can also change the default target state, but we also see the end user action mappings, which for the end user later on when I show you this, we can see the responses to the end user that would give back to the analysts. So the base ones here are things like deleted file or that was required for a business process, false positive, wrong owners. This is completely customizable. However, you want to do it, you can add these end user action mapping anywhere. I'd like to show you how you set up the assessments for end users as well. So here, again, we have a standard 1 on the blocks for a large information transfer that left the organization. This header is what they would see when the end user gets the assessment. So it is a boiler plate issue language that we want to use. And this questionnaire is provided in case of large incident transfers in this scenario. But we can also see exactly what questions are being asked, right? So we can open up the assessment and we can see the metrics. Name of the client, that was on the file, the information owner, Info type and other natures of services. Next, I would like to show you the op center that is the heart of the analyst workspace here in ServiceNow. ServiceNow really wants to drive this single pane of glass to make sure your analysts have all the information at their fingertips. So we don't want them to swivel chair, we don't want them to have to go to all sorts of different windows to find the information that they need. So they have this really nice overview here. They can see their incidents by severity, incidents that are open, by scan source policy, age, state. All of this is customizable as well. You can change this dashboard however you'd like to as an analyst to make it work better for you. We also get to see that the analyst has access to dashboards, right? And dashboards are another powerful tool to show what sort of information is coming in. So in this case, it's pretty thin here. But you can see between closed incidents, false-positive incidents, but also more things here like severity even incidents, how often things are being escalated and so forth. Lastly, you can drill down into a workspace itself to see any event you want, right? So in this case, the analysts could see all events, open events and a whole bevy of others. This is also adjustable as well and configurable to your organization's needs. We really want to bring the maximum amount of flexibility here for you as an end user for your organization. Tim, any additional information you'd like to drop in at this point?

Well, I'd really like to reiterate that the workspace was designed to bring the data to the analysts. So providing less clicks and faster access to the data, and it gets us that much closer to achieving that single pane of glass.

That acceleration is what we strive for in ServiceNow. We want to make your life better when it comes to doing this work. I do want to show you some more configurations as we continue. So maybe you don't want to see all the data sent back to the end user. Maybe you want to restrict those things, and you can do that with field level restrictions. So here, we can set as an analyst and as an administrator, what the end user can see. Now an analyst gets to see everything, but we don't want that necessarily for an end user. So again, like before, we can set matching conditions to separate filters, but we can limit to what the end user sees here. So we've set very specific things such as when the file was made, located, modified and who the owner is. There's plenty of more detail in ServiceNow that they could get access to, but we want to limit that. The end user doesn't need that as much. We can also specify who this field level restriction basically applies to. In this case, we wanted to apply to all end users, but we control that at a granular level, if you want it, as well as by group. Also, we want to control how fast our end users reply. We want to make sure that they don't let DLP incidents out of your organization and then just promptly forget about them. So we can also include information that the end user gets notified how frequently when they've failed to respond. So here, we can look at specifically response due dates, right here. Here, we've got a basic out-of-the-box option to escalate to a manager, right? And so like we've seen before, we love to be able to use conditions and be able to flexibly adjust how you want these response date rules to take place. But by their basic nature, we can set time limits. So in this case, if an end user doesn't respond within 5 days, the manager is going to get notated -- or notified excuse me. But we can also make sure the end user gets like a nudge, right? We don't want to just leave them in a black hole and then yell at them when they fail to fill out the assessment or respond to any sort of escalation. So here, we notify the end user within 2 days that, hey, you really need to fill this out and send it back. We can control who the escalation goes to. It can be sent to a manager, it can send to a user group. It can be sent to even a custom user tied to the incident. We also assign it by a variety of fields by either manager or any field here that you'd like to set. Maybe you want sources to go to a very specific person. You can control that here. We also set the maximum level number of escalations. In this case, it's going to the manager after 1 escalation. So you can change that per your needs of your organization. I also would like to show that you can control and monitor repeat offenders, right? Maybe you've got somebody that needs more training or worse, right? It could obviously be worse. But we'd like to think that we give people the benefit of doubt. So here, we will go look at the repeat offense rules. In this case, very similar to before you'd be able to drill in you can set your conditions. I know I'm sounding like a broken record now, but it's really powerful. You can set these rules and narrow them down per conditions, and it really allows you find granular control on these rules. In this case, the end user basically has a repeat offense threshold set here. So it'd be 2 and over 60 days. So any of these get violated, the end user is going to be notified as a repeat offender to manager -- managers and other individuals that control your DLP policies. And at that point, you get to decide what you'd like to do with the end user more training or so forth. Lastly for setup, I really want to call out 1 of our newest integrations. Microsoft Purview is now something you can integrate specifically with ServiceNow and our DLP product. We're really excited about this. Because with Microsoft Purview, you get more data, you get granular data that essentially drills down and lets you know like things like detective sensitive information here. So when Purview checks, they look for very specific things, and we flagged it in Purview, hey, credit card numbers. If these leave our system, we need to know. And that information is then shared again with the analysts, right? Now something I want to show you that is blank currently, which is match content and you go, well, hey, Pete, why are you showing blank content. This is why, Microsoft purview, specifically in their API controls, do not -- doesn't let data leave for more than 7 days. That is controlled on Microsoft side and not our side. And we're happy for that because that data needs to be controlled as well as monitored and it make sure it is kept safe, right? So in this case, if it was credit card numbers, it would be listed here in this match content. And the analysts could see that information, but it doesn't stay in ServiceNow, and that's really important. We want to make sure you understand that, that at no point in time is ServiceNow going to retain that data. But you go, "what happens after 7 days, I need that information." Maybe it took a while to make an analysis or it got escalated and the answers come back and you need to see that data. Well, the analysts can still access it. You could basically download a local file and that would be kept locally on the analyst's machine where he or she could delete that after the fact. Conversely, you could also use something like an S3 bucket in Amazon or Azure where you would store an XML there, and that could be accessed remotely outside of ServiceNow and that data wouldn't be stored in ServiceNow. Tim, any additional information with Microsoft Purview, because I know we're really excited about it on ServiceNow inside?

Yes. If I may add, the Microsoft Purview integration is just 1 of many integrations that ServiceNow provides prebuilt out of the box. They're all located in the ServiceNow store. But this integration, it's our most recent innovation, and it's the newest addition of the portfolio, which is why we are showing it to you today.

Cool. I know we're both pretty interested in this, and we're excited to see how customers use it. So I've showed you really a quick tour of how an admin would set things up. But obviously, we've got to see what the end user sees, right? So I'm going to hop over to it on their instance here where we get to see Paul, who is our sample end user here. And I want to show you what Paul would see when he goes to his local and basically assignments for DLP. In this case, it would be the end user portal here, and I just would like to show you so end user compared to the ops portal, which we saw differently before for the analysts. So here, with the end-user portal, we tell that -- we can tell that Paul's got a couple of incidences, 1 related to credit card numbers with PCI data policy, but also U.S. social security numbers. And I'd like to show you both because a little bit different information in both. So here with regards specifically to this incidence, I just want to show you that the activity stream that would come from an administrator to tell Paul, hey, this is what's going on. You shared from some PII data regarding social security numbers, and that's a problem. You got to take care of this. Paul needs to respond, right? Because he even needs to say, I've taken care of this or oh, I didn't know and it needs to be escalated and we need to solve this problem. So Paul here can say it's a false positive that he really didn't [Audio Gap] they know a file has left. This isn't my doc. I know it says my name [Audio Gap] I haven't touched this. And let's [Audio Gap] any way you want. It doesn't have to be these [Audio Gap] UI settings, you can choose and adjust these, as I showed you in setup. [Audio Gap] okay, I deleted it locally. I really needed to send this out [Audio Gap] required for a business process and then you sent it, now the analyst is going to review or escalate or follow whatever local to the other incident that Paul had here, which was regards to PCI. Here, we see the assessment that we talked about earlier where Paul is setting [Audio Gap]. And so Paul would have -- he would have to answer it, right? Again, at the very top, we see that stock e-mail that we crafted in the configs that Paul gets to see and these questions that are related in that question bank. So the nature of the services, the name, personal information that was for a client transfer, and lastly, if it was Federal or state government client. And Paul would submit these answers to the analysts. And again, the analysts would get that data, make a decision, escalate, close or whatever need -- he needs to take care of, the analysts could do. So that shows the end user experience. And it's really pretty easy to use. We try to strive to make it simple for an end user that's not necessarily an IT user. This is an HR user or it could be any other user, or service member. We try to keep it approachable and simple and understandable. Tim, anything extra here with regards to end-user issues?

Well, I want to reiterate, I think we mentioned this a couple of times during the presentation, but I do want to reiterate that a lot of questions that I got when we were first rolling this out and a lot of questions I get today from customers are, wait a minute, how do I know an employee isn't just clicking false positive, false positive, false positive. And the way you can monitor that again is with our analytics and with our metrics and the reporting system. So that's 1 of the other great features within the application is the ability to monitor and see like, okay, this particular employee has been getting a lot of notifications and they keep clicking them as false positive. I think we either have somebody who is not taking it seriously or maybe we have an insider threat situation, I need to either engage our behavior and awareness team or maybe I need to engage some the VFIR incident handlers or HR or something like that, we need to look at this a little bit further. So I just really wanted to reiterate that because that's a common question that I get.

Awesome. Great. So that was our real quick tour around DLP inside of ServiceNow. We hope you found it interesting. Sorry about that, Tim, I clicked the slide on you. That was my fault. You're on mute, still, Tim, by the way.

Yes. Sorry, Thanks, Pete, for that great demo. And sorry, everybody. This is what happens when 2 people try to drive the same car. So we do have plenty of time for Q&A. Before we do that, though, I do want to remind people about the survey. Please fill out the survey. It's important to us to understand, are we providing content that's useful and meaningful to you, good use of your time, because I know what is like to block off some time in your day and attend a webinar or watch the recording later. So we really want to know how we're doing. But also, we want to understand the content overall. What other topics would you like to see either from Pete, me or from somebody else. What kind of topics would you like to see from ServiceNow? We offer a wide portfolio of security applications on top of ServiceNow. And so if there are other things that you'd like to see, we really want to know about that.

So with that, we'll let me jump into -- we did get some questions here, mostly during the demo. And so we'll just start at the top here. So the first 1 was, can you use this tool to separate critical incident records from problem management records, like can you set thresholds at a CI record after a certain number of days, get supported into a problem management queue and then notify as a manager for further actions? So the answer is yes. And -- but there's a caveat. So out of the box, the application does provide the ability to do notifications in an automated fashion and do those escalations in an automated fashion, so you could escalate things to a manager, you could notify a manager after a certain number of days. And there's lots of other conditions and criteria that you can set when you're building those notifications, those escalations. The other part, though, about creating a problem management record or a PRB or maybe an incident or some other record within ServiceNow, that's going to require a little bit of additional configuration. It's also going to require that you have those particular modules with in ServiceNow. So as long as you have those modules where you want to create those other records, and you have those other tables that should work. Pete, did you want to add on to any of that at all?

No, we pretty much covered that pretty well, Tim.

Okay. Thanks.

I can grab the next question if you want.

Thank you. Yes, that would be great.

So we had a question about how does the platform understand your org chart? And how does it know to escalate the incidents to the users, manager or HR staff? And that's going to be setting up via roles in groups. So when you create your users inside ServiceNow, you'll attach them to certain groups that will have roles attached to them and they'll either be a manager role or an HR role. And then inside your configuration, when you're setting your escalations, you can choose where they're sent. So you would say, I want it sent to HR manager or I want it send to my DLP analyst manager, however, you want to do that. But that's basically granular level of control that you can do inside the ServiceNow platform with any role, really, it's not just a security thing. It can be used at variety of our products or role in controls.

And Pete, if I may piggyback on that, chances are you may already have this within ServiceNow. So if you're already using ServiceNow, chances are you may already have that within the platform, and now you just need to plug in DLP. And so if you're already doing -- if you already have ServiceNow integrated with like Active Directory or something like that, you already have that org chart in ServiceNow, so to speak. That work has already been done for you. And so if you're already using ServiceNow for other things and you just want to add this additional module on so that way you can better handle DLP, you should already be set and save a lot of time.

Cool. Next question I want to grab was 1 where -- where do I find it? We've been talking about Microsoft purview and all these other places that where do you go get these things? So like many of our other integrations, it's all found on our store app. So if you just go to store.servicenow.com, you will basically be able to search and find all the integrations that are functioning inside of our platform. So in the case of Microsoft purview, you would just head over to the store, you -- there's a header at the top that says integrations, and you can search in there, you type in Microsoft Purview and you find it. It would tell you everything you needed, including dependencies, what licenses you needed and any other products that you needed to use that integration.

Cool. I'm going to take the next one. So can you talk to the work that goes into enabling the DLP capabilities that you have demonstrated, for example, who would generally be responsible for configuring the response due date rule, escalate to manager? Basically, all the stuff that Pete was showing, I think, is what you're interested in, who configures that and who maintains that? And the short answer is somebody or somebody's team, generally 1 or 2 people, maybe 1 person and a backup would need to be designated as the admin, and that's the person who would set that up and be responsible for maintaining that. Now a little bit more specific around, okay, well, who in the organization does that. I will say, having worked at multiple places where we've used ServiceNow and having been out there talking to customers how they do it, that will differ from customer to customer, and that could be any combination of within the security engineering team, a couple of people might be identified that they're responsible for the DLP module, or the DLP application as part of their responsibilities. That might be somebody in the security awareness team that maybe is responsible for that or there might be somebody in the IR team. But it's going to want to be somebody who has some level of knowledge of ServiceNow and can go in and maneuver through ServiceNow and configure these things or you might, if you're in the security organization and you want to use this capability within ServiceNow, you might have a great relationship with your platform systems administrator team and they might be the ones who do this for you. They might be the ones who configure this more, you might work with them to maintain it. Any changes that need to be made, maybe they will do that for you. So I would say, look at how you run ServiceNow within your organization today. If you're using any of the security tools now, look at, okay, how do we maintain those? Is that -- are we doing that within security and within security, who is it? Is it the security engineering team, is it somebody else? Or is it our ServiceNow platform team? So I know that was a little bit of a long-winded answer, but I just -- I really wanted to make that -- because that's something that commonly comes up is the governance of the security applications within ServiceNow and who does what, especially when we're talking about a platform that is often enterprise-wide.

It's just good practical knowledge, Tim, that you're sharing with us having lived this installing all this. So I appreciate that. Next question that we have is regarding, I think we addressed this, but I will cover it again, which is do we have to grant employees access to the security module to use DLP workflow? The answer obviously is no, right? In fact, your end users, you probably don't want them seeing most of it. You want to very closely tailor what they're going to get in their assessments and what data will come back to them. So you can control that and not give them deep level access to your security and incidents. Obviously, your analysts, you can share them however you'd like and have more secure events or higher risk events, how we'd like to decide that, go to a certain set of analysts, you can also split that if you want it as well. But otherwise, no, you really don't have to -- an end user doesn't need to, right? They don't need to see all the worrisome data that an analyst deals with on a regular basis because it might scare them to be frank. But more naturally, you just want to be able then to get back to what they're supposed to be doing. So to be able to answer the questions they need to move on.

Okay. So we're at about 45 minutes, 46 minutes. I know everybody likes to have a break before they go to the next meeting. So Pete, unless there's any other questions that came in that I missed that you want to tackle, I'm going to move on and move to our closing.

Go for it. I don't think we've got anything standing at this point, Tim.

All right. Just a few -- there we go. So again, -- we have a great portfolio of on-demand webinars at our website at servicenow.com just go to Events, on-demand webinars. If you like this one, and you want to show it to your co-workers or show it to maybe your -- another team, you can go find this there after it gets posted, but if you want to learn about our other security products for vulnerability management, threat intelligence, or any of our other applications on ServiceNow, that's a great place to find that information. And then we do have our annual Knowledge conference coming up in May, so I do want to put in a plug for that. That's a great place to go and get hands-on with applications like these. There are some great talks, some great learning sessions. It's a great place to meet your peers, to meet other ServiceNow customers that are trying to solve the same problems that you're trying to solve and they may have a solution that you might be interested in. So it's a great place to network with your peers and other ServiceNow customers. And also meet ServiceNow product managers, practitioners and like I said, get hands on with the application. We do have some great labs and trainings at our Knowledge Conference in May. And then, not too long ago, we did release our Utah update to the platform, the platform release, Utah. Sorry, I'm not saying that very well. I'm having trouble getting the words out, but if you're using ServiceNow, you get the idea. We -- Utah is the current release that was just made generally available a couple of weeks ago, and that is now available for your use. You want to register for the release broadcast so that way you can learn about all the new features, all the new things that have come out with Utah and are available to you. So with that, Pete, thanks. Everybody, thanks for joining us. I really hope this is worth your time. I hope you got some good information. Clearly, I'm done talking, because I'm having trouble getting the words out. So with that, we'll say good day. Thank you very much.