ServiceNow, Inc. (NOW) Earnings Call Transcript & Summary

Good morning, good afternoon and good evening from where everybody is calling in from. I'm going to get started in just another minute. I usually just like to give people a minute or 2 minutes if they're hopping on from another call. But while we wait, I was wondering if everyone wanted to put in the chat where they're calling in from. I currently am calling in from Boston, Massachusetts. It's a pretty nice day out today, a little windy, but definitely starting to look like spring, so it's getting me happy. So just wondering where everyone else is calling in from. I see someone calling in from London. That is amazing. I am actually visiting London at the end of the month. And so I'm pretty happy to go see what it's like there. We've got someone calling in from Switzerland. That is a dream location for me to go to. I actually love to ski, but I'm on the East Coast of the U.S., which is kind of known for not having the best skiing. So we definitely like to try skiing out in Switzerland. We got someone from the D.C. area. That's also nice. My roommate is actually visiting in a little bit, and she's sad because all the cherry blossoms have actually blown away already. Okay. It does look like we are a minute past, so I'm going to get started. Hi, everyone. My name is Kendall Hixon. I'm a solution consultant here with ServiceNow. And today, I'm going to be going over our security operations solution with you all. Before I get started, I do want to just note on the fact that all the lines on today's call have been muted, and that is just to prevent any background noise from coming through. But if you have any questions at any point throughout any part of this presentation, I encourage you to please put them in the chat. I'm here to answer any and all questions you may have. On the agenda for the day, we're going to be starting off with the Now Platform overview slide, and then we'll be moving on to accelerate Security Incident Response. With that, we're just going to touch on some of the challenges that we see current business is facing and how we actually solve those challenges. We'll then move on to the personas and the SecOps demonstration and lastly, leave time at the end for Q&A. We are scheduled for 60 minutes today. I definitely just want to make sure I'm leaving enough time at the end just to give everyone enough time to ask their questions and just to give me enough time to answer all the questions. The ServiceNow platform is unique in the fact that it unlocks value from existing transactional systems of record across the enterprise without cumbersome and complex management of custom-coded integrations, while at the same time, it's enabling a new kind of user experience that's going to be able to accelerate growth, drive engagement and create satisfaction. It's all going to start from our prepackaged workflows, which are application-specific, built to enable digital business transformations across customer, employee, technology and creator workflows. And each workflow area addresses a specific persona type within a business, inclusive of industry workflows, which usually require a little bit more of specific industry data models and functional capabilities. The workflows themselves present unique value in their out-of-the-box capabilities for solving many different types of digital business ways of working, but what's most powerful about them is the fact that they're all built from the same single cloud platform with a single data model and single architecture. The benefits can then best be described in 3 functional areas that are platform foundation; configuration and extendability; and then lastly, intelligence and optimization. So as we begin our discussion into security, I just really want to first highlight how we focus our attention to addressing security needs and where the problems actually derive from. So they're derived from these siloed workflows. And there's a problem with security operations teams being able to communicate and collaborate with other IT teams or other security teams like a vulnerable response group. And so when a security alert or an event comes into the security team, they have their way of addressing it. But a lot of the times, depending on whatever asset it is or what the security incident is actually affecting, there may need to be an escalation or the incident might just need to be handed off to another team to be resolved. The issue is actually going to lie, though, within that handoff between the teams. So there may be a lack of guided processes, lack in visibility on to who is actually being sent over to or how it's even being handed over to. There can be an issue with coordinating responses to and from and then additionally, even attaching any understandings to all the details of the specific security incident. And that's just going to leave a lot of unknowns with that, and that's truly where this issue starts. Siloed business structures are going to be able to also continue making it much harder to know what to prioritize and who to assign incidents to. Again, it's also just going to reinforce that lack of communication and again, just lead to a slower manual process to resolving the issue. And so we see lots of companies who deal this way have a much harder time end up dealing with all of the security threats coming in. So here is the architecture of ServiceNow security operations. We actually sit in the middle of all of your third-party integrations. So if we want to pretend a phishing e-mail comes in, it's going to be detected by your detection integration. They're going to find the e-mail, create an incident report and it might even be grouped with others if you have a correlation application. And then we have our vulnerability and configuration operations that are just going to help bring in any of the vulnerabilities. Next would be that Threat Intel option and these applications are really just going to enrich the same incidents that were brought in through the detection tools. We then can look at all these Threat Intel solutions, match them up to really just provide some better context into the incidents. And so when you're ready to actually begin coordinating and then remediating the incidents, we have Exploit & Solution Intel to really provide some guidance in Intel on how to best handle these incidents. And that's when we bring in our orchestration integrations because we want to block out any remediations that might be causing -- or incidents that might be causing these incidents. And so I understand that there is a lot on this slide, and I just want to point out the fact that we're here to work with whatever you have currently within your system. So if you use one thing for security operations, we're going to work with that one application. If you work with 100, we'll work with the 100. We're here to help you take action by really implementing some automization and machine learning to really just best coordinate responses to action. And so I just want to point out as well, we're not a security tool and we're not here to replace any of your security tools. We're just here to pick and pull and get the best value out of all your current integrations. And to sum this up, we focus on 4 main pillars to really drive security teams to success and really just help them accelerate remediations. We are a unified platform that is going to help you gain visibility into your alerts in your incidents with real-time updates. We're going to be able to help you prioritize these incidents based off of which incident is the biggest risk to your company. We're going to make it easier to make it a collaborative workflow and help with automations and artificial intelligence. And then lastly, we're going to make it easier to track your performance across the entire organization. So before I get into the demo, I just want to first highlight the personas we're going to be using today. I'm going to start off as Andrew, and he is our executive level, someone like a Chief Information Security Officer, CISO. And he's really going to just find visibility important. So he wants to check in on the overall security structure from that high-level overview and make sure teams are performing as they should. We'll then move into Adam, who is our actual security analyst, and he's just going to be analyzing the security incidents. And lastly, we'll work with Carla, and she is just going to represent our vulnerable response manager, and she's just someone who's going to oversee all the vulnerabilities within the organization. So with that, and I hop into my instance. I just want to confirm that everybody got this new change in screen. There are about 8 widgets on the screen and they got colorful green, purple, blue. Okay. Perfect. Thank you for confirming. Okay. So again, we are working with Andrew right now, and we are looking at his CISO dashboard. So major and minor organizations are going to be able to leverage our analytics to really improve their security program. And what we see are our customers really appreciate that ability to build out these dashboards for their teams and their leadership. And they can use them out-of-the-box or even use customized dashboards as well. And the CISO dashboard is really just a great example of what customers are actually going to be able to build rapidly. And as I mentioned at the beginning, one of the biggest advantages of ServiceNow is that ability to bring together data from multiple different groups to provide this holistic insight across the board. So when Andrew first logs in for the day, he'll look at the Overview tab, which is he is currently on. And this is just going to provide him some information from teams across risk, policy compliance, variation management, vulnerable response and even security incident response. And at the top, you can see we have a bunch of different tabs for the CISO dashboard. And these dashboard tabs can actually be created to organize any of the data within these dashboards. So personally, for Andrew, he has it set up. So each tab describes a little bit more detail of the different groups within the system. And he can arrange them however he wants, he can style them however he wants, but it's configured to him and his needs right now, but we can definitely configure it to you and your needs later. So when he looks into the Incident Handling tab, this is just going to help him keep track of how incidents are currently being handable within the system. The System Hardening tab is just going to let him know how well the IT infrastructure is being hardened and secured. And under Business Risk, this is just going to show him the biggest risk into the organization. And these are actually all live widgets. So if Andrew ever finds himself wanting to know exactly what the 23 very high risk to the company are, he can easily just click into this, it will give him the list and he will be able to evaluate from there as well. The Policy Control tab is really just going to give him some insights on the policy compliance and their performance. And lastly, under Cost and ROI tab is going to show him the cost and return on investments for the organization. And this is really just going to give him and the organization the ability to really watch all of these big-picture trends in the day-to-day of their work so they can just make sure they're striving to keep their organization as secure as possible. And so after Andrew has looked into all this, he might say, we need to work in on some of the major security incidents that are going on. So he can reach out to his coworker Adam and say, hey, can you look into some of the major security incidents that are going on? So when I click on this new tab, we are now Adam, and he is in his major security incident manager workspace. And so major security incidents are actually different from everyday security incidents. And this is just determined based off of the impact of the incident, the criticality of it or even severity of it. And they usually require a lot more cross-departmental collaboration. And so from here, Adam is going to be able to easily coordinate and really direct organizational-wide incident responses and workflows from this workspace. And he's actually going to be having access to an entire collection of tools and integrations that are just going to be able to help him create this virtual war room essentially to get this incident handled. And a fact I always like to share as well is that this can actually help incidents be resolved by up to 85% faster. So just thought that's always a great statistic to say. And so we can actually see how he's able to use this by clicking into one of these major security incidents. So once Adam clicks into this major security incident, he's going to be first taken to the overview of it. And so the overview is just going to contain some metrics that are going to help provide a quick and live look at what's currently going on within this major incident. So right away, he can see exactly how long that this incident has been occurring, when they think the resolution date is going to be, any response tasks that are associated with it and all of the impacted incidents that are impacted, so the assets, the affected users and even the affected locations. And it does look like a question just came in. So somebody is wondering -- so they say they use ServiceNow as ITSM currently, and they want to know if the IT agents are going to be able to see the security incidents? So, no. So the security operations application is actually going to be isolated from your main platform. So the only people who will actually be able to access anything with on this arm space is going to be anybody who has the security role that you assigned to them. And so nobody from IT, as long as you don't give them that security role, will be able to access this. The only time that they'll see anything to do with security incidents is if you assign them a task to help remediate the security incident. So does that answer your question? Okay. Perfect. So after Adam can go in and check the overview of what's going on within this major security incident, he might want to check on some of the details involved as well. So this is just going to provide him some information from both outside and inside the platform. So he can just view and really analyze it and see what teams are working on what parts of the incident if he needs. He can also see any of the impacted incidents as well, so a list of them. If he needs to click into that, he can and just understand what's truly going on within them. Under linked records, he's just going to be able to see any similar or related incidents that can be actually linked to the major security incidents. And he's also going to have access to see if there's any relevant threat intelligence that's going to be supplied to the organization as well. And we hear -- I've heard from a lot of companies we work with that collaboration tool is hugely important to them. So we are actually able to integrate with file-sharing platforms, so something like a SharePoint, and actually automatically create this centralized repository to really store all of the information that goes on within this major security incident. And managers are going to be able to do normal file operations here, such as creating files, deleting files. You can also add or remove any user access that you want. And we actually also have the ability to integrate with chat providers. So if you use something like Teams, we're able to integrate with that, and it just really helps everyone stay connected and really engage on the major security incident. We also do provide the protected chat channel. So over here, you can see the protected chat channel. And these are actually automatically created for each major security incident so you can read in on what Adam and Andrew were talking about before. And if Andrew ever says he needs a status report on what is going on within this current major security incident, Adam can use the SaaS Report tab. And this is just going to be a way for you to dynamically craft up and keep your leadership up to date. And it's going to require minimal effort. So it's going to be able to free up more of your time, so you don't have to spend time on these administrative tasks. You'll be able to get working on the actual security incident. And then the last tab is the Task tab. And from here, Andrew is going to be able to see everything that everybody is working on. So here, he can see that legal is currently -- legal and PR are working on a disclosure statement. He can look in and see what tasks are in draft or assigned. He can make sure he's assigning any tasks that need to be assigned, and he can also create new tasks all from this workspace. And so when he's looking in on all the tasks and seeing what everyone is accomplishing, he is going to see that Carla Jackson is currently working on a patch for the Log4Shell vulnerabilities. So he might want to reach out to her and check in on how she's doing with that. So we are now as Carla and we are in her vulnerabilities managers workspace. And just a critical goal in major incidents is really to ensure that there aren't going to be any more systems that might actually be vulnerable to the specific attack. So Carla is going to be able to use her vulnerability manager workspace to check in on that. And so when we talk to a lot of companies, we do see that they are still using e-mails or spreadsheets to perform all this complicated and really continuously changing vulnerability response looks. And that's going on between their security and their IT teams. And what we see is that it's just a manual and slow process. And so we actually are able to help automate these processes. And we've actually been able to see customers reduce their total number of open vulnerabilities by up to 50% within 6 months of going live. And so from here, Carla is looking into that Log4Shell vulnerabilities, and she wants to make sure that nothing else is going to be attacked within the space. So what she's going to do is look in at the overview originally. Again, she's going to be provided some widgets to understand what's going on within this specific vulnerability. And impacted CIs, she is going to be able to see the single system of action that's going to provide her all the information on the CIs that are actually related to this vulnerability. So she can see there are 40 distinct CIs attached to it. She can see based off what class they are in. She'll be able to see any of the distinct vulnerability. So within the -- all the things going on, there are 2 distinct vulnerabilities. She can see if they have any existing exploits all at a glance. And your organization is also going to be able to see all the vulnerable items and the configurations they are actually related to. So at the top, you can see that there is this vulnerable item number, and it is related to the Apache configuration item. And so Carla now wants to take a deeper look into the remediation of the specific vulnerability. So once she goes into a remediation effort, she is able to look at all of the current vulnerable items. So she can see that there are quite a bit to work on, but remediations have actually already been started. So these efforts are actually going to be automatically routed to work on from IT and just really help save you some tremendous amounts of time for your security team so they're not having to worry about assigning these and getting them worked on. You can just send them off to IT to be worked on so your IT or security team can focus on what it needs to. And actually, once you route it to IT, you can actually break apart the remediation task. So in larger organizations, they can actually split the work across hundreds of people to work on. So it's getting done relatively very fast instead of having to wait on one person to solve it all. And from here, operations teams even have this more simplified view to know exactly what they need to do to target and deploy the fixes or anything that needs to do with that. And actually, we can now automate any scheduling and delivery of patches through integrations with Microsoft, Titanium and even BigFix, and that just helps move things along even faster. And so across security and operations, we just are here to make it easier for you to get more important work done every day. So once Carla looks into this, she can let Adam know, hey, we're working on it, and it should be resolved quickly. So that is pretty much everything I wanted to show you within the demo today. So I'm going to hop back into my slides. So again, today, we were able to start off with Andrew, who looked in on the CISO dashboard to understand what was currently going on within his system. He had that 10,000-foot overview, just being able to evaluate everything that's going on. He was then able to reach out to Adam to ask him to maybe look into some of the major security incidents going on. And Adam was able to use his major security incident workspace to really just evaluate the incidents, look into what tasks are being done and ask Carla how they were doing on getting those vulnerabilities resolved. And Carla was able to use her vulnerable response work space to make sure everything that was related to that incident and could be a vulnerability was getting remediated and worked on. So I quickly want to cover a quick customer success story. This is Bupa, and they're actually a leading global health insurance provider, and they actually cover insurance over 32 million different people. And some of the challenges that they were seeing where they needed to be able to strengthen their risk management and their data loss prevention and their intrusion, detection and preventions. They needed to be able to improve their ability to respond to systems compromise and protect their customer data from malicious or accidental compromises. The solution that we're able to provide them was an introduction to the ServiceNow security operations and really just leveraging their existing ServiceNow technology. And we're even able to roll it out in phases. So Phase 1 for them was the vulnerable response. And then Phase 2 was the implementation of the security incident response. And I just always love going over the results they have. So they were able to prioritize security risk by making data more accessible. They were able to protect sensitive customer data from threats, and they also had a rapid response to threats, avoiding the service delivery interruptions. And I also just love the quote from their Head of Cybersecurity. It just says, "Our vulnerabilities response and security incident response talk to our ITSM and the CMDB. That's really helping us address the right risk in the right order." Before I conclude, I just want to do a quick recap of everything we've gone over today. So we were able to start the demo from that CISO dashboard and gain that full visibility into the company and how the security team was doing. From there, we were able to see how Adam was able to see those risks that were grouped together and properly prioritized so he knew exactly what he needed to focus on. We also were able to help with workflow automations and remediating tests within the company's vulnerability workspace. And then lastly, we were able to track all of that performance through all of metrics. And I did get a question earlier today asking how to share the content with a coworker who wasn't able to make it. All you need to do is actually go ahead and scan that QR code. It's going to take you to a link with information about today's products, so information about security operations and even a prerecorded demo on the topic. I just want to thank everybody for coming out today and listening to this demo. I'm going to be hanging out here for anybody who might have any additional questions. But if you think of any later, please feel free to e-mail me. My e-mail's on the screen there, [email protected] or if you have any questions for the Demo Center and their scheduling or survey questions, please feel free to e-mail them. It's [email protected]. Again, I just want to thank everybody for coming today, and I hope to see you again soon.