ServiceNow, Inc. (NOW) Earnings Call Transcript & Summary

All right. Well, good afternoon. How is everyone today? Having fun so far? Nothing like asset management to get the afternoon going. So I hope everybody had their lunch. Love the energy. So asset management. This is all about the Giselle and Tom Brady asset divisional breakup. That's what we're going to talk about here today. We're going to talk about who got what. It's the only way to talk about asset management in the afternoon. Actually, I'm joined by 2 fantastic panelists. We're going to have a great discussion here today. We really look forward to going through it with you. We want this to be interactive. Ask questions. Raise your hand, [ Tricia ] and the other team is back there. And let's talk about it as we go through the topics that we have here for you this afternoon. I'm going to start it out though with a couple of just prelude slides as to where we are and why and get into the context. So let's start off with, what are the priorities for corporation today? And I don't -- the 3 of us come from banking, work in banking or financial services. So obviously, we have that spin to it. We have that lens to it. But I don't care what corporation priority is today. They all feed here. Customer expectations, internal and external, risk and compliance, which we're going to get into heavily as it relates to asset as far as I'm concerned, with my last role when I walked in with 12 MRAs, all based on assets and the regulators were all over us because it starts with the foundation. How do you manage that? And how do you move forward? How do you build everything else on top of it all the way up through resiliency? But you can't do that with unlimited costs. And security breaches today are driving those costs. IBM survey found $6 million per security breach is the average cost just in financial services. The only industry that beats that is health care. So obviously, those costs are there, to remain competitive against the peers and to be relevant. I think we heard a quote recently that if you find change challenging, you're really going to find irrelevancy challenging. Asset management is a big piece of that. So let's get into what are the big boulders pushing the rock up the hill? We talked about margin pressures a minute ago, increase regulatory. We talked about malicious cyber threats. But the operational risk, which is really the basis of this discussion is the most immature regardless of the industry. And the reason for that being the environment is just so dynamic. It's changing so rapidly. How do you deal with it? And unless you're a company that started in the last 5 years, you don't have a greenfield. You have to deal with the old and phase in the new. So how are we going to do that? And the biggest boulder, the one, obviously, the pressure standing behind is the silo systems and fragmented, which is going to be a large part of what we talk about with Stephanie and Paul here today. So as we get into that, you'll see 3 sets of words that are in green, and they're in green, obviously, for a reason. Uniting IT, single platform and customer-centric, all of it revolves that ecosystem around those areas. And we talk about asset ecosystem, we're really talking about how that process unfolds. How that process is going to work at scale and how each of you, who are dealing with this day in and out, day in and day out, are going to be able to manage that. But when you factor in the risks and the controls that are set up along that process, and being able to operationalize those not just by asset, but by how you deliver your services, right? Because before hand it was all about, well, we need to know many laptops. We need to how many switches we have. We need to know how many point solution. But now you need to understand how that rolls up to your service, how that relates to your distribution channels. And doing that through effective risk management begins as we talked about and then to go at the building blocks of our discussion. So that starts us off with our panel here today. And I'm pleased to be here with Stephanie and Paul. What I'm going to ask, just to give a bit of introduction to themselves, their roles and then we'll get into our questions, starting with Stephanie.

I am Stephanie Truckenmiller. I work at U.S. Bank. I've been there for a long time. I've been leading IT service management and IT asset management policies, practices, tools, in most of my journey at U.S. Bank. This topic is important to me today. We've got a lot of stuff going on with different audits and whatnot. But it's always been important to me. What I think is fascinating is the timing of this now versus 5 or 10 years ago. Now it's become even more important to everybody else, why this room is so full, right? We're all really having to care about asset management like we never had to before. So this topic is super important because not just of an asset of itself, but every place that we work, we're responsible for assets because of the data that's on those assets. And if that data gets out and into the wrong hands, we can cause a lot of harm to our customers, to our employees, et cetera. That is why this is an important topic for me.

Paul?

Yes. So first, thanks for having me. I've been in the financial services industry for 33 years, 29 years at Standard & Poor's and now 4 years at Northwestern Mutual. My teams basically drive all the service management IT operations management, reliability, security vulnerability and audit from an infrastructure and cloud services perspective at North Western Mutual. The reason why this is an important topic is -- to add on to what Stephanie said is, we definitely don't want to see Northwestern Mutual on the front page of the Wall Street Journal, right? So every time we read something, we hear the news, somebody has gotten hacked, right, something has gotten breached. And we don't want to have to deal with that at our company. And so we've doubled down on that with the work that we're doing right now to ensure that, that doesn't happen.

Great. We said before, we want an interactive session. So I don't know how I'm going to be able to arrange this, but whoever asks the most questions can join me at the Taylor Swift concert in Chicago. No takers? Okay.

So let's start off with the basics. As far as assets, in the end, from my past dealing with the regulators, they kept saying to us, what do you mean by asset? What do you mean? And I think asset is used as a generic topic, right? How would you -- let's start with you Steph, if you don't mind. What are we really talking about? And how do you look at it from your approach?

So we actually have spent, probably, the last 5 years at U.S. Bank partnering with different organizations, in particular, our security teams in trying to define what asset means. Because they have a completely different definition of asset than what I have, which is really around hardware and infrastructure, software and applications. And then as you get further into the business and we're moving to the cloud, you are adding on some additional asset definitions. And then when the regulators come in, they have another set of assets that they care about. And everybody calls these things assets, but in actuality, a lot of them are attributes. So it really cares about certain things about assets. And I would say we don't have a good definition at U.S. Bank yet about asset and what we think those IT assets are. We're working through that majority today.

It's a great point. I found the definition difference between physical and nonphysical assets is probably the most immature in the industry, right? Everybody thinks of an end point, everybody thinks of a device or switch or telephone whatever it might be, the old days, the fax machines. But today, it's now logical act, logical points and how to marry those together and then how to define what is in and what is out. That's fair.

And as it used to be really financed. It's based on your finance is how much you pay for something, how much is still on the books. That's not really a factor hardly at all today.

That's a good point. All right. Paul, do you have a comment on that one?

No. I mean I could ask the crowd or audience, how many people have an actual definition in our company today. Raise your hand if you have a good definition. Exactly, right? Like I don't think maybe...

Maybe 5.

Of course, my team raises their hand. Half of them raised right here. But I think it is a challenge, right, so. -- and I'll probably butcher this a little bit, and I'm sure my team will like give me dirty looks. But the way we're kind of thinking about it right now is that it's the things that we can go out there and discover and that we need to patch, right? So when we're looking at it across our network, what's on our network, right, what can be breached on our network, whether it's a piece of software, it's a piece of infrastructure. And everything in that, that makes that up is what we're considering an asset right now from a cyber perspective.

Paul, you brought up the team here and how you approached it from an asset point. Was there a compelling event? What was it that started this for you?

Yes. So there's a couple of things. So in 2018, when I got to Northwestern Mutual, I think in the first 2 weeks, I was there, we were going with just an audit compliance issue from a software perspective. And at the time, which I'm sure most people have, right, they don't know what they've got deployed. They're not sure what they were paying for. And our CTO at the time had asked, "How can we fix this? Like how can we get to a point where we kind of know what we have before software vendors come in and audit us and then penalize us for being out of compliance?" And so we started down the path then with ServiceNow, building out the software asset and that seem to be at the same time. So we started deploying discovery and building out that process. The second event happened last year, what I'd say a significant event is our Chief Security Officer that had come in. I had actually worked with at Standard & Poor's, but she had come in and had an external assessment on, a NIST assessment. So I don't know how many people know what that is, but I would suggest you use that. I don't think you have to necessarily have the assessment done but use that maturity framework to drive the work you're going to do. But we have the assessment done across our entire security landscape. She was able to take that and go to the Board to get an investment that we are now using to kind of drive maturity across asset and a lot of other areas. The point is, is that like a lot of people ask like how are you getting their company behind this, that's how we got our company behind -- the entire company behind it as you get that Board level support. You get the funding and you're able to drive a lot of improvement.

Did you -- to follow up on that, did you -- there was a CISO epidemic?

Yes.

Did the CISO presell it with the Board, letting them know what she thought was going to happen?

I don't think so.

So Stephanie, last -- we were with the Board every month, myself, the CIO and the CISO, talk about this because it's a trifecta, right? My Boston accent comes out once in a while, sorry. Trifecta comes out just because it's important to marry those 3 together. For your firm and for how you folks look at it, Board level and getting the attention, where does that sit for you folks?

Well, I think that's the challenge. That's part of the reason that it's getting more focused now, but where it's lacked focus in the past. So in the past, it's never got to the Board level. It's barely my senior leadership level, right? They could just figure we're taking care of assets. We're managing them fine. There's no problems because we're not having data breaches and that sort of thing. Now as information security and the risks are starting to come in and point and info calls into what's going on, now those leaders are starting to pay attention. Now the Board is interested in what we have going on. And so now we're going to get the investment and the attention that this needs so that we can take it seriously.

So actually, I want to ask the crowd this quickly. How many of you feel as though your Board is aware of your asset management program deficiencies and progress? Very aware. Okay. Somewhat aware? Okay. So we still have, in the industry, a visibility issue and support. Probably some of the reasons why it's so hard to get funding in these areas. Stephanie, given the size of your organization to bring this together in a cohesive way, how hard is -- and politically funny, right, how hard is that to pull it together? And I'm sure it's is similar to a lot of other friends, right? Folks aren't much different than many others.

Very, very true. So we've been working on it kind of in silos. So we've got hardware asset management, software asset management. We've got CMDB. We've got our application management, right? But it's doing their own thing. What we have come to find out is that through discovery of the duplicate data and/or lack of good data that security needs to do, vulnerability management, some of the other things. They were like, hey, we've got a problem here. So they started knocking on some doors started raising up some flags. And now we've actually created this strategic portfolio, the strategic risk portfolio, specifically to tackle things like enterprise asset management at U.S. Bank. It's now getting the right visibility and leadership that it needs at the top of the house, so that we can come in and do the work that's necessary throughout the rest of the layers. But it's taken a lot of attention from our regulators, poking from our regulators and poking from our security folks, to your point that NIST in cybersecurity is a big deal. And because they aren't laying down and being quiet anymore about this, we're getting the right level of attention, but it's only because of that. Otherwise, it's pretty much a political hot button though because we don't have a good definition for assets. Everybody has their own definition of asset. So we're putting together this Board to work through what our enterprise asset program will look like at U.S. Bank.

Okay. Paul, in the press session, we were sitting and having lunch, just kind of chatting. You had mentioned there are some changes going on in the org. Same questions to you as Stephanie about Board awareness, the ability to pull it. It sounds like your organization is really taking strategic approaches to it. Is that fair?

Yes. I mean like I said, I think getting just that Board awareness and having to report back to the Board is key, right? So -- and if you look at what we've done just over the 4 years that I've been there, we've gotten NLP to a point where our large vendors will understand our net license position. We've got a pretty healthy CMDB. We're using our CMDB to drive DR tests. Just recently based on the NIST work, the way that we've approached just the way that we're actually looking at what we have in which I think is key and I've kind of talked about this morning is -- and I don't think a lot of people maybe approach it this way, but we integrated our ServiceNow Discovery into our Infoblox, which is our network source of truth. 10,600 networks that we're discovering across, and we've automated that integration. So if something changes on the Infoblox side, it changes on our Discovery side. Now people will question like, "Are you getting too much stuff." Possibly. But we want to know what we have, and then we can start talking about what do we want to actually have in the system and what don't we want to have in the system. What do we need to be tracking and what do we care about? So we've made a tremendous amount of progress. And if you look at kind of what we've done from just a NIST, in 1 year, we were assessed again this year, we've moved up a full basis point, right, out of 5 point -- maturity curve, we've moved up 1 point. And our program, our asset program goes through 2023. I'm expecting us to have our goals like from a NIST perspective by then.

And I find in history that as long as you communicate the time line, right, there's 2 ways to do it. We're going to look for everything, and then we're going to figure out what's important and go forward. Or we're just going to look over here and whatever we don't find, yes, it's a risk, but we're going to accept it. It's 1 of 2 ways to do it, right? So it looks like you didn't -- I think as you communicate the time line, it sounds like you can execute.

And we're reporting KPIs up to our tech leadership. So we use 3 KPIs to do that. We use one that's really driving the scope and what we're discovering, and with that integration with Infoblox, we're saying we're at 100%, right? Or something changes, we know what changes from what we need to look at. And then the other one that we're doing, the other KPI is we just call it interrogation. And it's basically saying how many things do we know what they are and that they're in our system and how many things do we not know that are in our system. And we're at like 98.9% I'm looking at the guide, yes, something like that, right? So we're close. We're probably 2,500 to 3,000-ish devices away. And we know what the big chunk of those is to get really close to 100% of knowing everything that's sitting on our network, right? And then the normal seem to be metrics we use from an enrichment perspective, completeness, compliance and correctness. So we're driving and showing our health from like 3 KPIs up to the tech org that way.

So you've given some great examples of how you're executing and where, in particular, you're focusing the depth. Let's take a step back and talk about strategy for a minute. You and your peers had to put the strategy together. You had to come out with an approach of fundamental. How did you guys end up doing that and framing it? Can you give some context?

Yes. Yes. So it's funny when we started thinking about it because one of the biggest challenges that we had was really what is an asset. Like it was not the stuff that you think is going to be the challenge. You think the technology stuff is kind of going to be more of the challenge. And it was really just getting everybody on the same page with how we're thinking about things and what we're calling things and what we need to do. So it's just a lot of sessions from that perspective. But the other thing that from like when you start to think about what we need to do in the road map of that, I've got a lot of great people on my team that started building out a ton of industry experience, right? So we were leveraging all that. We started meeting with external customers -- or sorry, customers of ServiceNow to understand how they were doing it to see if what we were doing made sense. So we utilized that to build out our road map. But the one thing I wanted to mention and the other thing that we discovered as part of this road map, it's not just around life cycling assets. You have to think about like what we call is like shutting the front door, right? So you can go out and find all your assets. But if you still got a problem with assets coming onto your network, you're always going to have a problem. You're always never going to be at 100%, right? So there's a lot of things that you have to do to control access. If you've got people that can bring things into your network and plug them into the wall use things like NAF to keep them from coming into your production network instead of pushing them out to your guest network, right, things like that. So there's other things that you have to consider that might not be what people consider normal asset life cycle and all that. But we work with EA and I see my EA partner in here, and so we work with them to start to develop those processes of governing all of that.

So it actually brings us from really well into the next top of ESG. And I think more like governance side of it, right? This really helps us talk about you can't just fix what's out there and expect everything else to happen. You've got to have governance around it, have to have controls around it. You have to have a policy around it, you have to have a cultural change around it, right? And Stephanie, I think this is kind of more in your area where you've -- you're setting policy in tone, right? You're setting the G of ESG. The context and importance to that for you, for your team, how does that work?

It's a lot different than it used to be. So when we started off doing our asset management program that's really focused with hardware software, strictly kind of workstations and applications that you'll load on those workstations. And so the policies and controls that you had to have then were pretty simple and basic. To Paul's point, though, it's kind of like they're stack. So you have other controls that you need to understand how they are compensating for a block in the front door, detecting an authorized asset, what kinds of access controls. Whatever the things that are also going on that are going to protect the data because at the end of the day, it's about the data more so than it is about the assets. And then building that into what controls do you need to have for further compensation. So it's working with our partners and our business lines. It's working with our other team members to find out how we can create workflows that say when this happens, do this. So those are the policies, the requirements that we're building out. And we're automated as much as we can on the control side so that when our orders come in from the FRB or the OCC, they want the evidence to prove that we're managing and controlling these things. We can say, here's how we're doing it. Here's our reports. And actually, we're doing a lot of that on platform, which has been really fantastic. We have a lot more opportunity to take advantage of there.

It seems to start at the top down. In other words, you and your peers have to establish that cross functionally, right, in order for -- because no matter the best policy out there, if it's not followed, it doesn't work, to Paul's point, right? You can fix and discover all the assets, but if it's wild, wild west and people are still bringing things in, it doesn't work. It's kind of an open question, not part of our prep, but I mean have you -- have either of you found a best practice out there on how to bring your peer groups to the table in order to help you drive that ability to execute change, if you will, on a fundamental level? Paul, you're shaking your head.

Luckily, my peers are the head of the network and the head of all of our core platforms. And Ahmed Azam, who, guys, are on the keynote runs it all, right? So between that like core group of people, we're the ones that are actually driving with the AR strategies, right? So when we talk about how do we bring new technologies in, how do we create standards and govern standards, it's not a lot of people that you're bringing to the table to do that. There's a core group of 10 people maybe that are having that conversation with and you're getting them aligned. The challenge is going to be the culture at NM and driving a change, right? Because if we allowed certain types of access and people to do things, taking that access away from them, having the right processes and procedures in place to allow them to still get to the same outcome, but maybe they're not the ones with their hands on the keyboard, right? That's going to be the harder part is to get that pushed through and get people to understand and buy into it. Coming up with a solution to do it, I think, is relatively the easy part.

So if we can stick with that theme for a minute, and then we're going to -- I'd like to turn it over to Stephanie for her thoughts on road map. But continue you want to continue on a path. You want to continue to future to optimize your strategy. You've already talked about risk and security, which is, I think, really where, after you answer, I want to get into it with Stephanie. How is that playing into your future road map? What have you learned from it that you're applying into it, and how it's going to relate to risk and security as you continue to mature this program?

Yes. So when we started the program last year, when I talked about the program, the CTP program that we created, based on that NIST assessment, we built out a 2-year road map to handle everything we wanted to do. One of the things that we're looking at this year is, does what we're doing still makes sense, right? Do the milestones we're still marching towards still makes sense from a road map perspective based on trying to get the maturity in place that we need to, to feel comfortable that we're actually meeting the business outcome that is basic? It's basically if we get breached, can we quickly identify what that thing is, what's on it, where it's at and get it shut down quickly, right? That's the outcome we're trying to get to. And everything that we've lined up to get to that point, will take us through 2023, and we already know what those things are. The things that I already talked about of getting that front door shut down, I think we have more work to do on those types of spaces. There was a story in the news about a company that got hacked through their fish tank thermometers, right? The fish tank thermometers were connected to the network and somebody was able to hack into those and get into their production network, right? So when you think about that, nobody is going to put a fish tank thermometer and seem to be -- or in their module, who cares? But you have to figure out a way to segment them off, so they can't. So you can make that potential breach a lot smaller. But all the fish tank thermometers in one network that's firewalled off and then they can only shut down and kill your fish. So that's the other way we've got to be thinking about this.

Internet of Things, right? Turn your light bulbs off. I'm sure it's trying to hack into us right now. Stephanie, how about you with this, with your strategy and your road map moving forward? Same question.

Sure. So we actually took an approach. We have this thing at U.S. Bank called RMIs or Risk Management Initiatives. And so asset was one of the ones that was focused. And to kick that off and to figure out what it is we needed to solve to significantly reduced risk in our asset space. We went and partnered with multiple different teams across U.S. Bank to understand their different scenarios. What asset data do you care about? How are you doing asset management today, et cetera, et cetera. So we built the catalog of scenarios and use cases, if you will. And then we said, okay, how do we go and tackle which ones are the most important and are going to reduce the risk the fastest versus what we aren't. Along with doing that, we had some other initiatives going on. So we pulled them all together into a broader program. We're including our enterprise architecture teams, again, our security teams, our risk teams, our IT teams, whether they're asset owners or CI owners and, of course, us from a tool and platform and process perspective are all sitting on this Board of people to work through asset definition and building out that road map of what we want to do to improve asset management at U.S. Bank. But it was really intentional. Like you have to be intentional about it, accidentally, this isn't going to happen. And you have to also have that support from the top of the house, which we did because of that asset RMI and the seriousness that we take at work.

I can't think of a more important -- ServiceNow has me do a podcast, so not quite a bit. And one of the biggest things I talk about is leadership from the top. If the C-suite, across the board, is not lined up behind it, especially with the Board of Directors, it's an academic exercise.

We don't think you were talking about your KPIs. So we watch those on our team, like we look at them. And then I know what's going on so I can help manage that, but my leadership doesn't ask for it. The Board is not asking for those metrics, which is a little bit scary because actually, I wouldn't want to give it to them because they wouldn't like what they were going to see. So we'll have some time to get that cleaned up. But they aren't asking for asset KPIs. They're still focused on other things, we do vulnerability management, super important, right? But our service delivery and some of those other data quality, some of the other things, they aren't -- still aren't focusing on asset yet. And I think with this new program and how we're organizing it, they are going to get more engaged, which will allow us to get the right funding and support.

I know there was only a few hands that were raised By the way, any questions so far? I'm going to ask the crowd. We have a question down front here. First row on the right. But the question I'm going to ask after this gentleman asks is, is any of you that have gone through the practice of getting the C-suite, getting your Board, getting the crowd to understand, the leadership to understand where you're headed, why it's important. I'd love to know if anybody has the best practice out there for us. And for my last work, it was based on the regulators. They came in and said, you need to have a separate Board focused just on technology. And if you don't, we're going to have a problem with that. So we ended up doing was -- with support of the CEO, we had a C-suite initiative. And we brief the Board every month of what was happening. And so the regulators understood it and it compensated for it. But it was a regulators that allowed us that way. I'd be curious after this question, if anybody else has the best practice out there of how they found to get the right visibility. [ Tricia? ]

Yes. It's kind of a long question. But our CISO just did exactly what Paul did, she went to the Board and brought those sorts of things up. But my question is for Paul. So you were talking about the integration that you guys made to Infoblox. So we've done something similar. The struggle that we're having is we're good on the static IP addresses that we can map to a NIC, to a server, that sort of thing. We're struggling with the DHCP stuff, which is going to be the Rogue asset stuff. So is that what you're alluding to with the fish thermometer thing where you're trying to segment the stuff out or...

So I kind of look at it like there's like 4 legs to the stool, I guess, is the way I kind of look at it. One leg is everything we've been talking about as life-cycling assets and knowing what you have, right? The other leg is what I called NAC, and honestly, I don't know what NAC stands for. But it's like a network appliance capability that when you plug something into the wall that gives you that IP through DHCP, it looks at that thing and says, "Are you certified to come on to the network or aren't you?" And if you are not, it will push you over to the guest network. The other leg is that segmentation like I talked to, and that's the Internet of Things, and we've got to work through that, right? So like Charlie Manley, who's sitting in the audience that works in my org driving that and saying, what are the different paths that we have to go down when we actually discover something that's unknown like is it a fish tank thermometer? And what do we need to do, because certainly we don't want it on our data center networks. Our network teams are working right now on figuring out what is that segmentation so we can get it into like the -- maybe sent into an IOT network where they can -- worst thing they can do is stuff our wall clocks, take our fish thermometers down and shut our refrigerators off, right? Like -- I mean, nobody wants that. But it's better than taking our entire production systems down, right, so. And then that last leg is that access control piece that I talked about. Like you've got to figure that out because it will be a never-ending problem if you don't figure out how to control what people are doing on your network.

That's your question? Right now you and I can go to the Taylor Swift concert because -- it's really that -- maybe that's why people aren't asking questions on anything. They don't want to. [ John? ]

Yes. So we had a question from the audience regarding your experience with vulnerability scanners and how you're getting those inputs from your network and/or systems that have worked, so you can remediate as you go for it.

Is that for me?

Either or...

So [ John, ] the question is, have we integrated with our vulnerability scanning, is that the question?

Yes, which ones have you used as well.

Correct. Jeez, what vulnerability scanning capability do we use? Okay. Yes, I'm not sure. But anyway, we do have an integration.

Qualys.

Qualys. There you go. So we do have an integration. It's an integration -- so basically, what we did is we looked at our CMDB, and we started tagging what we think are the -- first of all, what we did is we started tagging what we think are our most critical assets, right? So we use that tag as a way of prioritizing our vulnerability remediation. But there's also a connection that Qualys team uses that ties back into our CMDB so that they also know like these set of servers are associated to this application. And so there's that type of integration that's happening. But it's -- we're not using the ServiceNow like product to drive like vulnerability remediation or governance right now.

Ultimately, if you don't tie it back to the scanning, to the assets itself, you're never going to be able to define -- no matter what you find from the Qualys scan, you're never going to know what's different between what's most critical versus what is -- so you need context in order to apply those standards, otherwise everything is going to have the same standard.

Yes. So basically, that integration with our CMDB gives it context, right? It gives a context and prioritization of you've got -- lots of people have literally millions of vulnerabilities. How do you know you're not just patching the one -- sorry, the lunch menu app and not sure like most critical app in your company if you don't have that connectivity and that prioritization?

We've got another question here.

So have you integrated your certificate management and your UAA into the security and what you're doing in the CMDB also?

No. I'm going to say no to that, yes. So I'm looking at my guys like, no. We haven't given the answers on that -- that's it. It's on the radar side.

To the question I had a minute to go to the group. Anybody have a story they want to share about getting visibility executive or the frustration or an area that they felt has really helped resonate and get some visibility at the Board or very most senior level? Okay. It's a quiet crowd here. All right. We're going to -- what's that? Colonial pipeline. We have a question and then another one here. Sorry.

I was just going to say that there's nothing like a good cyber attack to raise awareness in the...

Raise awareness in an emergency, right? We had a question right here. No? Okay.

Greg, we did have a question over here. You guys had mentioned that you don't have a definition for assets. So how do you define asset versus CI?

I can take that one. So then I actually can -- you think it's kind of clear when it comes to this. And a good friend of mine is very adamant about this, and he told me this multiple times. And it is -- an asset is what it is before you put a configuration on something. So whatever the asset is, it is an asset until you put a configuration on it and you plug it into the network, and then it's when it becomes a CI. So if you think about things like a monitor, as an example, a monitor is an asset. It's never going to be a CI because it can't be configured. But your workstations, your appliances, heck, maybe even a fish thermometer could be configured. And so as soon as you plug it and you put a configuration on it, then it becomes a CI. You think about the CIs are, what do I care if something changes with it, right? That's going to be a CI. I don't care if something changes on a monitor because nothing can change except for maybe a plug, but it doesn't matter. So an asset is, in fact, that thing that it is in its initial state, when you first purchased it or it's the first idea that popped into your head, whatever it is, right? But as soon as you configure it and you put it on that network and it becomes live and you start using it, that's when it becomes a configured item.

Yes. I would add to it like, obviously, you can have CIs that are assets and assets that are CIs but you can also have CIs that aren't assets and assets that aren't CIs. The one thing about assets is that there's some value to it, some actual monetary value, right? So whether it's something that you can depreciate, something you're leasing, something that you have to understand that life cycle of, that to me is an asset. And then to Stephanie's point, if you're doing some configuration on it and you need to track that and those attributes then it also can become a CI.

I do want to say really quickly, though, Paul and I both can say how we would define asset. But I think it's when you start to get outside of what everybody here already know as an asset, software is an asset application is an asset, infrastructure is an asset. Even your cloud stuff, some of that stuff could be asset or not, right? You're talking about your policies in the cloud, those are assets, for some companies they might be. But I think that's when you start to get a broader -- into the digital space and some things, document is an asset, right? So you're going to track those, seem to be in your asset management tool. What about APIs? What about your Web URLs, right? Like where does the asset become just an attribute or when does asset really expand much broader than just your hardware, software, infrastructure and application? So things that go beyond that, that people are calling assets that we don't have a good definition for how we want to describe those, and we care about tracking for those.

How do you treat virtual servers, VM guests or VMware or Hyper-V asset configuration items?

CI. So I don't know, I'd actually probably curious how you guys do it. But from a U.S. Bank perspective, if it's the physical asset like I can actually see it and touch it, it's going to be an asset. If it's virtual, so anything that's coming from the cloud or VMs, whether it's a virtual desktop or server, that's only going to be and this seem to be as a configured item. It's not going to have an asset type for it.

Yes. So if it's a server, it's a CI and it's an asset, right? So it's sitting in both modules for us. And if it's just a workload on a VM farm, it's just a CI.

Relative to software management, I assume you both manage applications and software within your organizations. Your user environment, are you running persistent or nonpersistent desktops? Meaning a regular laptop, for example, or a desktop system that folks access applications via browser or whatever, whether it be 365, Microsoft E5 Suite or whatever versus a virtual environment like a Citrix environment? Do either of you run either of those environments?

I mean I don't run it, but we have it at our company. So we have VDIs and we have physical workstations. We have both.

Are you able to monitor your assets, your software assets via your nonpersistent environment, the Citrix environment? Because that's where we're struggling right now.

Yes. So I know for sure that we've integrated into SCCM. We're also integrating into Tanium. And that will help, obviously, with the physical stuff. Charlie, do we have VDI in the CMDB today?

Yes.

Okay. Yes, so we have VDIs in our CMDB today. So the guy that's sitting 3 rows behind you on the left, raise your hand, Charlie. Like he's the guy you can ask.

We have another question there on the -- sorry, Stephanie.

Yes, we actually have persistent and emphasis in VDIs at U.S. Bank. And of course, we've got physical workstations, too. We're transitioning to instead of being kind of an asset-based license model to a user-based license model. And that's how we're going to do our tracking from a licensing perspective going forward.

My apologies, Stephanie. A question there in the middle on the side.

No, it's okay.

There we go. I got a 2-parter, one for the panelists, one for you, Greg. Do you guys adhere to the common service data model pretty strictly? And would ServiceNow consider doing like a webinar series on -- specifically for banking, on how banking should be utilizing the common sort of data model, especially on the newer versions coming up 4 and 5?

I'd like you to answer first.

So we do -- I'd love to connect with anyone else. We do have a series of assets that we have now, whether it's both thought leadership and physical assets. But I'd love to tailor and pull that string a little bit more with you. Yes, I'd love to get into that, especially for banking. That's what I do. So that's what I'm here for. But we have a thought leadership website, where we get into a lot of this with folks like these here, where we really try to get into it. We did one last week in Orlando -- or 2 weeks ago in Orlando on hyper automation and how to think about that differently, brainstormed on it. That's recorded. Things like that. So I'm happy to get into that and discuss more for anyone else. Maybe after the session, we could talk over here on the side.

Paul, do you guys follow a common service theme?

I mean we're starting -- I mean I'm going to say we're kind of in our infancy from that perspective. It's definitely something that we plan on follow starting to get over my skis here on this conversation, but it's certainly something we're moving down the path for, yes.

And same on our side, as we get into more Service Mapping X, we just implemented service portfolio management to help us align our service offerings, software services and application services, et cetera. So the CSDM is really important in that model. So we're really starting to apply to it and stick to it, much more than we have in the past.

Yes. We're starting down that path, too. I think the challenge we're having is just getting people to understand it. It's a 165-year-old company and they've done whatever, they've done it the same way. Some of my team don't even understand it yet, to the extent that they need to, so. I mean I've got experts on it. So it's really -- like I don't know like how difficult it was to like really get it to where it needs to be. I think it's going to be as or more difficult to get everybody to understand it and understand the value and why we should be doing it.

[ Tricia, ] do you have another question?

The question around the transition of going through COVID and people working from home and managing kind of those assets and how they're checking in or not checking in. Can you talk a little bit about that?

So like I'm having a hard time hearing her.

How did COVID impact the way that people remotely check in and deal with the assets?

Like when you say deal with the assets, what is -- what do you mean by deal with the assets? Like what does that mean?

So the question was when people started working from home, in terms of connecting in, checking in, in terms of where they are based on their location.

So you're asking how are we tracking whether our employees are actually doing work and connecting into our VPN and doing things like...

Just where the assets are, right?

Or where the assets are? Yes. Yes. So yes, so it's definitely challenging for sure, right? We have a lot of laptops that are out there, whether we have contractors that were no longer with the company that we're still struggling -- or employees that have quit that we're still struggling to get them back. And what we did right off the bat when COVID hit is obviously we had to beef up our VPN really quickly. And it took us a little bit of time, maybe 3 weeks to really beef it up. And then what we were allowing people to do is kind of like drive by, pick up some extra monitors or whatever, right, to kind of try to get that home base set up to -- the best that we could. Now it's a matter of who do we give all that equipment to and how we get it back. And I would say that just from my knowledge of it, it's not like a huge problem at Northwestern Mutual. But I do know that we've got like 300 things out there, laptops out there right now that we're trying to figure out how to get back. I don't know how much of it's due to COVID. I thought a lot -- I think a lot of the people that had brought a lot of equipment back that don't need it anymore, it's more of through attrition. Like with those people -- who are those people or a contractor or whatever. It's just we send them a box, send them back to us, is a struggle for whatever reason.

We actually paused a couple of our key controls during COVID because we couldn't really check up on the assets. We couldn't have people come in, make sure things are on the network because they weren't allowed in the buildings. And then we let people take, obviously, the laptops home. But we also made it a way that they could take their workstations home, too. So once those things left the building, depending on how discovery runs, they may or may not have checked in. We actually still have Elizabeth -- I'm sorry, Becky Halfmann, probably keep me honest here. I think we have at least 10,000 workstations that we still are having -- are missing, right? It is really as a result of COVID. And our 90,000 workstations we have at U.S. Bank, it's a significant number. It's a problem. How we're tackling that now, though, isn't necessarily from an asset management perspective, but some of those layer controls we were talking about earlier. So we're going to do file level encryption on the workstations. We're going to have chips inserted in the workstation so that if you try to take the hard drive out, it essentially blows up and you can't get any data off it. So what we're going to do is take an approach of how we protect the data that could be on those workstations, assuming that they're going to be lost and really just kind of chuck them off as being lost. But COVID took a serious hit to our asset practices and processes that we are seriously cleaning out of right now.

I think to Stephanie's point, I go around the country every week talking to financial institutions. And from there and from my former employer, I think everybody took a look at risk differently when COVID hit, had to race and want to get business done. Those that started the process of asset modernization before COVID are a lot better off right now than those that didn't. Because they're just now merging with what would our old scans tell us. We don't know where those end points are. Whereas those that started before COVID and had the ability to start with this asset is attached the network, you're not getting on anymore. And we're just going to cut our losses and start from here. They are a lot better prepared at this point to manage and start to be a little more proactive and predictive of if that asset hasn't been on for 3 months, maybe they actually send a note to the manager. And do you know that your employees' asset hasn't been on the network. Is that the way it should be? And I think people are using it more and more proactively in that one institution even mentioned that they were taking pictures off the cameras. I haven't heard a lot of that, but it's more on the monitoring side. All right. We've got another question, [ John? ]

So speaking from a business application point of view and your CMDB, how far deep do you get into the tech stack when you're showing relationships between like the business application, the server and the switches and so forth? So if you do have a disaster recovery incident that you need to take care of.

You want to go?

Go ahead.

Yes, so it's the major pieces, right? So we map out like our applications to our servers and then there's association of if we have middleware and database on those servers that we're associating added to those applications. I think we also have the capability of tagging some of those other CIs with we call it UTAN, it's basically it indicates -- it's like a unique identifier of an app. And so we use that capability to kind of build out that map and do seem to be same in the cloud like when we're building like an AWS or whatever one we're deploying or creating EC2 instances or whatever. We'll use those UTANs. And those UTANs will be in the pipeline as those instances are created, and it will associate the apps to those instances.

Similar. So from an app to the server to the database, and then we also will include some of the key network gear that's related to it. That's about as far as we're going right now because that and of itself provide so much data. And that's really I think what's needed mostly from a vulnerability management perspective as well. So it's serving that purpose. But as we get further into service mapping, I think we're going to get to mapping a little bit more and middleware and some of the other application components that support them as well, but we haven't gotten there yet. The people are really consuming the data that we're pulling and discovering and mapping today. So I'd hate to pull more, and until we've got a good plan in place for people to actually consume that information.

I think it is a great question, though, because as we stated in the beginning of the session, I heard recently from colleagues in the health sector that for different reasons the regulatory were starting to push them towards that. And I know the banking, the OCC is pushing because they want to know by distribution channel, right? They want to know both horizontally and vertically. How does that relate to your stack, but how does it relate to how you distribute services? And that is very, very complex especially when you have, right, shared networks. So very, very -- it's a great question asked, and I think it's the future of where asset management is going, frankly, especially resiliency. Okay. So I think we've -- we're good on questions for the moment. So I want to start, Stephanie, with you. We've talked a lot about the program from definition to strategy to visibility, reporting. Where would you -- Paul gave a little bit of insight a few minutes ago about where he thinks, I think, Northwestern is. Just curious where you think you are in like the success, like how would you rate it? And then two, what would you wish you've done differently knowing what you know today?

To make it a scale 1 to 10, like 1 to 10?

10 being outstanding.

My gosh, I haven't probably -- actually will put us in 3, in all honesty, not because of a lack of knowledge and understanding. We know where the problems are. We know what we need to tackle and we know how we can fix them. It's actually getting the time and resources to actually execute against it now. So the road map, we've got it there, ready to go. We haven't executed yet. So from a performance perspective and how we're delivering on, I'm saying 3. But we've got the right team in place and absolutely the right people process and technology to be at a 7 probably in the next 2 to 3 years, I would say. It all takes time as we talk about assets, seem to be. And then what was the other question?

What would you do differently knowing what you know now?

Well, I can tell you, I guarantee you, and I know as Becky is sitting over there as well, I would have never shut off our controls during COVID. Like that would have never ever happen, so one. And two, I -- when we invested in ServiceNow on the platform we're doing asset management base in ITSM. [ Hambro, ] I don't think was quite ready yet when we first got on the platform, but how I would do this differently? What I would differently is I would invest in that immediately versus waiting now to do it because I think we've tried to create so many solutions to our asset problems by kind of some customization, a lot of configurations and a lot of work that come right out of the box with [ Hambro. ] So from a -- how would I do this differently perspective, it's definitely having the right tools in place maybe and then maybe also reviewing the processes. There's a lot of process waste that we've even automated. And it's still wasteful, like we should have assessed our processes better before we started putting them in the technology.

Great. Somebody asked me a question in Orlando a couple of weeks ago about they call the GIGO, garbage in, garbage out, right? If you don't fix your process from the beginning, it doesn't matter what you put on top of it. It's going to be what it's going to be.

100%.

Paul, same 2 questions to you. You gave a little insight of it. Well, you took maturity step on cyber, but from the larger perspective overall strategically for the corporation, how do you think you fared and what would you do differently?

Yes. I mean I think we're doing pretty good. Obviously, I've told you about the KPIs that we're measuring against them, what we're doing from a risk perspective. We have a lot of work to do, obviously. The program that we've put in place runs through the end of next year. It obviously never ends. I've literally had people ask me when the same will be complete. So yes, I don't even know the answer to that question. So -- but I would -- I mean, the one thing I'd tell you is I have a phenomenal team, really smart people. And I have all the faith in the world we'll get to where we need to get. And I think we're doing a pretty good job right now. What I would do differently is from an asset perspective, like 4 years ago when I came in and we were just looking at software, we were like tunnel vision in trying to fix that single problem and that weren't thinking broader. We weren't thinking about like what do we want to be when we grow up from an asset perspective. Frankly, we just knew we wanted to solve this software asset problem. We weren't talking about cyber. But if I could do it again, I would take a step back and I would think about where do we want to be in 5 years from that asset perspective? And how does cyber play into that, how do other things play into that, how are the 4 legs of the stool play into that? All of that stuff. So we could have, I think, be in a much better spot at this time than where we're at versus looking at each of these little problems like in their own space and trying to solve that little thing versus looking at the bigger, broader possibilities.

Great answers. Okay. So let's take that down one level. Let's take it down. We'll use the same scale from the 1 to 10 program, but now let's talk about ServiceNow. Like median here, most inherent you folks are. You purchased, you deployed your functional, two-part question. A, how far do you feel as though you do -- like are you driving all the value, you still get further to go in your maturity curve of using that platform or those platforms to pull out the value? And then two, what's the one piece of advice you would impart on folks here, good or challenges? I mean hey, if you're going to do it, do this first because it really works for us. Or be careful for this, watch out and think through it and maybe it's culturally. So Stephanie, if I could start with you again, first with how much -- how far you think you are into that maturity of pulling the value out, and then two, one part of advice.

We do have a significant amount of the platform in play and production at U.S. Bank. So -- and I've got a phenomenal team as well, product managers and engineers that really do a great job at pulling out value. I would probably place it, probably as a 6 in terms of pulling on value. Where I think we have the biggest opportunity is on the asset side, asset CMB-ITOM side. So for sure, that would be were it will land there. I think rationalization of your sources of truth is something that should be considered. We're going to start tackling that now. This is something that should be tackled years ago. I think about what security has tenable, we've got Tanium. We've got Active Directory. We've got SCCM or Microsoft can point to it, right? HPNA, there's a multiple tool that are collecting the same asset information in the same attributes that we are also with Discovery, et cetera, et cetera. And so nobody trust each other because we're all discovering at different schedules. We've got different data, et cetera, et cetera, right? It's managed differently. Some isn't really maintained. So I think it's that rationalization of who is all tracking your asset information? What is the system of truth for those assets and attributes and then aligning that with your key partners and using that kind of as your CMDB, right, that's beating in there so that you've got the right sources of information in there. And everybody is using them in the same way.

Thank you. Paul? You've been looking down.

To put like a number on it, it's like so difficult, right? Because there's like so many things that we're doing right now. And I'm just -- like I was just going through it in my head trying to where we got from an ITSM perspective, where we're at from an ITOM perspective, where we are from APM, seem to be all that stuff. I can't put one number on it because we're working on all that. We're literally deploying IRM and replacing Archer. We're deploying VRM. We just went live with the HR Service Desk or service delivery, we're looking at -- so everything is kind of in a different space right now. I do feel good about the framework that we put in place and the way that we're starting to think around the federated low-code, no-code type of configuration and giving other people an ability to start to work against their workloads in these different spaces and not have it to just be my team doing it, right, so they can control their own destiny from a backlog perspective. I feel good about the framework that we're putting in place there. Like what is my one piece of advice, like understand the business outcome. I literally was just talking to [ Emmett ] who was the keynote. And we struggle. I mean we're just a bunch of ops and engineers, right? We're not like these like brilliant PR people. But understanding that business outcome that you're trying to reach, getting by in that, that's the outcome that the business -- the they want you to solve and measuring yourself and showing the maturity and the steps to actually solving that problem and making sure they're aware of your journey into that point, versus somebody telling you we need a good CMDB that can look at change blast radius and you put a button in the change form to look at blast radius, but you don't really know did it impact your ability to do changes without causing incidents because you've got that stuff built out in the CMDB. Being able to measure that and show the value that those types of capabilities bring is like key. And I think -- and a lot of cases, like I've missed the boat on that. And it's things that we're thinking about right now, regardless of how much work we've done and how much great work we've done, I can rattle off all the cool stuff that we can do right now, but we haven't like put it in a nice type format, ratable and evangelized it so that the business really understands that value. That's like key to me, like, we've got to do that.

You both bring up -- I mean, from a practitioner standpoint and from in this role, from what I've seen work and what I see others are doing, I couldn't agree more. You have to know where you're going in order to measure how you're getting there. And there was one institution recently that came to us and said, we've bought all these IT products. Now we're buying IRM, we're putting them together. But the teams are at odds with one another. So they ask myself, a couple of folks to fly out there, which we did, listened to them, listened to the implementation partner. And I said to the exec afterwards, "What's your goal? What are you going for?" I said, "You're in the IRM side, you're breaking this down to an entity level that is so fundamentally minute, miniscule. You're perverting the system into something it's not and you're never going to be able to roll it back up." I said, you've to map this towards your priorities, and you've got to have points, checkpoints in there because you're changing the culture. This isn't just a technology that's going to help you measure things, you're changing the culture. So the change here, you're going to have that leadership from those points. So that's why I asked the question. I think they're great answers, right, because ultimately in the end, that's what you're talking about driving that change. Okay. Stephanie, Paul, thank you both very much. You spent a lot of time up here today. I appreciate all the questions we've had from the group. Hopefully, you've derived some value from this session. Greg Kanevski want to thank you very much. And if anybody wants to chat with myself and that gentleman over there about future hyper automation, welcome to join us. Thank you very much.