hello everyone we're just going to take a few moments to allow our attendees to join us today um and i'll be repeating a few things that i'm about to say so first welcome uh number two we will be recording this and it will be recorded live it will be available on the link that i'll provide provide in the chat um on the community if you ever have any questions after that you can always post them and watch the replay on that community link i'll be providing that so we'll just take a few more moments to allow our attendees to join today if you do have questions during the live session please use the chat or the q a so that we can address your questions in a timely manner we'll take just a few more moments as we gather our attendees we hope you do get to share the recording with any of your colleagues in your social circles that might be interested in this insightful ask the expert event today we're excited that you have joined us we'll just take a few more moments we'll probably start right at the top of the hour [Music] and you know if you want to provide any feedback either use that community link to let us know what other topics or if you want more in depth on today's topic just let us know or any other areas of interest you might would like to see us present a few more attendees joining us today and i'll repeat what i said earlier this is being recorded and will be available on the community link that i'll be providing in the chat window shortly so if you miss any of the yearly sites it'll be available well thinking that we're going to have a full agenda today i'm going to say welcome again everybody and thank you for joining us today and vita let's go ahead and get started so hello everyone i'd like to welcome you to our servicenow webinar with partner bitsight to discuss delivering real-time monitoring and automated response to third-party risk i'm geeta john davis i'm a senior advisory solution consultant here at servicenow specifically working with our risk portfolio which includes vendor risk management been with the company for about three years and i'm really excited to present this topic with you today i'll turn it over to leslie to introduce herself thanks gita yeah i'm leslie sloan one of the consulting engineers at bitsight i've been here for about 20 months and so excited that i get to extend my prior experience at servicenow into my brickside experience and we bring the two organizations together with this offering awesome thanks leslie so for today's session we're going to discuss and demonstrate three main items how vendor risk management drives success within your organization discuss the translation of complex cyber security issues into simpler business context and show how servicenow and bitsite delivers real-time monitoring and automatic automated response to third-party risk in order to be competitive in our global market third parties are seen as a key partner to our success enterprise enterprises continue to rely on third parties to assist and accelerate innovation digital transformation and overall growth according to a forester opportunity snapshot study in february of 2020 it was found that 63 of companies are using the same amount of vendors or more third parties from two years ago and although this increases our overall competitiveness from a business standpoint it does expose our organization to more risk in areas such as data loss reputational damage regulatory actions loss of revenue or loss of customer trust and however although the importance of risk management is there existing third-party risk management processes are typically siloed they're not linked to business and technology context or risk which leads to us not making decisions based on the full picture of our organization they're typically immature and they're not scalable across all teams within the enterprise the goal for a vendor risk program is to seamless seamlessly embed third party risk into enterprise workflows so we can drive risk informed business decisions at the center of it is a common data model which should house all our third-party information our risk data and our performance results our vendors can interface with us via a third-party portal where they can provide inputs within the process and we can leverage that for our decision making items that we need to do and with this data we can also have a comprehensive risk process which includes managing a vendor portfolio performing both tiering and vendor assessments performing third-party monitoring generating issues and deficiencies and many other aspects of the overall program this also can connect to our broader grc program and give us a better view of our regulatory compliance our enterprise risk and the status of our business continuity and disaster recovery plans finally at the end users can benefit by getting tailored interfaces and dashboards that are relevant for their jobs and their context in order to make the proper decisions into in their day-to-day work servicenow is the only modern cloud vendor that offers a comprehensive third-party risk management program tightly integrated with and embedded into everyday work across the enterprise our cloud offering allows you to scale your processes while being assured of their reliability we allow for a comprehensive view of vendor risk by enabling continuous monitoring at scale and issue notifications we embed third third-party risk with other risk and compliance functions through cross-functional applications leveraging our single now platform and leveraging a common data model and lastly we're powered by the now platform which allows us to do things like develop digital workflows leverage mobile capabilities leverage machine learning and also having the configurability to meet your overall processes and your needs so when we look at servicenow and bitsight together in this demonstration that's coming up with leslie we start off with the vendor catalog where we can collect basic information around our vendors but also we can perform tiering assessments to understand what our inherent risk levels could be by leveraging that vendor within our organization and we can also feed in bit site security rating integration information to get that extra context around the risk we could be potentially taking on this connects to our vendor portal where we can actually interface with our vendor gather assessment information from a residual risk perspective around what our vendor is doing to reduce risk in their environment we can generate issues and share that with our vendor and collaborate around deadlines in order to close those items out and at the end of the day our various teams like legal hr and it will have access into this data to understand what type of risk they're taking on and what do they need to do to mitigate that and continue their business operations as needed so with that i'll turn it over to leslie to talk a little bit more about bitsight and lead us into the demonstration portion thanks so much gita so if you've not heard of bitsight we are the leader in the security ratings industry in fact we created this industry so bitset is using 120 different data feeds on a daily basis to utilize data that's coming in from across the entire publicly addressable ip space that enables us to create our three-digit security rating that is a data-driven information that leading companies are utilizing in making their vendor risk decisions so in addition to our 2100 customers that are worldwide we are we've rated over 200 000 organizations and we've got 25 000 plus users utilizing our platform on a regular basis so you can see here some of the leading organizations have chosen to utilize bitsight as part of their vendor risk management program you awesome so like i said we're utilizing 120 different data sources to bring in data to bring simple context from very complex information creating that three-digit rating so that you're easily able to have a data-driven conversation amongst your own organization and with your vendors about the security performance that they are providing so the way customers will utilize bitsight data is to both look at their own organization as well as their third parties so today we're going to be focusing on the third party uses that you can utilize bitsight information to make cyber risk decisions very quickly you're using this information across your organization for your entire supply chain enabling you to prioritize your resources to focus on the most risky vendors and then collaborate with those vendors to improve everyone's cyber security performance so with this we're using this so that you're able to get data in service now and you're able to bring the two solutions together for a much more rich solution or a better together perspective this allows you to control your risk exposure so you're continuously monitoring to detect vendor changes in real time at scale this gives you the ability of the power of the platform of servicenow to automate your workflows and you're consistent amongst your different vendor risk analysts and increasing your performance and productivity making you super efficient in your process of evaluating your different vendors so i'm super excited that i'll be switching over to my live instance of service now to show you how you can utilize the bitsight data in servicenow making your vendor risk program much more efficient can you confirm for me that you can see my screen so i know all of our participants can as well yes i am saying it mm-hmm i'm not a great company's um table great so what what i've done here is i've opened up to our bitcypher vendor risk management integration application that sits on top of the vendor risk scoped application within servicenow so a typical workflow would be one of an on-boarding so what you would do would be then start in a vendor such as my vendor here of black hills technologies okay i can see black hills technology okay um you gotta love a live demo always gonna see how things actually really work so we're just uh running a little bit slow uh within the the platform here this will open up in just a moment and you can see the data that is coming through from the bid site application into servicenow so while i wait for that i'm going to switch over into bit site so this is actually the bitsight platform and like we talked about there is a three-digit rating produced on a daily basis of the using the 120 different data feeds that we get and you also see how risky is this business because we've classified this is it a basic meaning a a high risk organization an intermediate organization or do they have an advanced security rating so that is brought over for you automatically into service now and unfortunately just uh struggling a little bit to get that to come up so let me cancel it and now i'll start the transaction again so opening up black hills technology when this opens up you'll see that we've done a great job of providing parity between the bid site platform into service now in that you get that high digit or to me three digit high level rating you also get a view of the performance of the organization over the past 12 months and then the points of interest where that organization has had a 10 point or greater drop in their rating such as these and then as additionally you get in the rating overview or the 23 risk vectors and their associated grades let's see if that's available here in servicenow perfect so giving it just a moment to bring that in is all we needed so again you can see the name that's come over you are setting the status with the organization you are setting your rank tier now using bitsite there is something called a tier recommender so this is based on the bitsight community and how other organizations are working with this vendor you can choose to utilize this simply by clicking on the light bulb here see what's more available about it and then if you want to update the vendor tier based on the recommendation by bid site you've got that option or gita you were saying there's a way you can set this within service now yep so as well customers can perform inherent risk assessments with their internal stakeholders and ask a variety of questions that can lead to a tiering score from more of a manual perspective so customers can choose do i want to do my own assessment do i want to leverage bid site or a combination of the two to determine my tiers for my various vendors so scrolling down the page looking specifically at the bitsite security ratings as we're looking in the bid site view here within bitsite for vendor risk management again you see the parity between the bitsight platform with that high level rating the 12 month view of the performance of the organization again the highlights of their times when they've had more than a 10-point drop in that rating and again the 23 risk vectors with their associated grades so just like you saw over here in the service to me in the bitsight platform itself a new feature with the release that just came out in september in july is to have the bitsight assessment report available right here within servicenow what this does is we have worked with our customers to look at various different types of questionnaires or it could be your custom questionnaire that we take in we then map that to different uh risk vectors within bitsite so we're reading the question and then saying is there a visibility on the bitsight side of the questionnaire here so in this case we have mapped up 55 questions that have a bite risk vector that aligns to the question being asked as part of your onboarding process in addition you can note here where we've got the risk vector that maps and aligns to this question you can also see areas of increased risk that we have flagged on your behalf wherever these risk vectors have a grade average of b or lower so making it very easy for you to identify areas of risk right within the context of your own assessment question so another way that you can utilize this would be how as part of your overall assessment process so what i've got here is i've created an assessment that we can then take a look at but first you might want to see how this looks for your vendor so the assessment is created it's then sent off to the vendor for them to respond to so before we take a look at the responses let's look at it from a vendor perspective so here we are in the vendor portal for this same organization with black hills technologies i can see that they've got an assessment here for the the sig to produce the security assessment but additionally gated there was an assessment you placed here with the consulting engagements can you speak to that for a second yes so as part of our paris release which came out in june we have this functionality now where we can assess a vendor at the vendor level so the actual vendor like black hills technology in this case but we can also assess any sort of engagement or service that they're providing our organization so if we want to have more of that vendor hierarchy what are the individual services what are the risk of those services and how it rolls up that is now a capability and the vendor can be able to see what are the assessments i have specifically for our organization as well as the services that we're providing awesome so back to our onboarding assessment where we can see that we've sent them the security assessment for 2020 for moderate risk this is actually the sig questionnaire and if you click into it i can continue to take a look and see what questions has my vendor looked at and you can see that they've gone ahead and signed their assessment so this is how it looks to the vendor but now thinking back to our vendor risk analyst and their workflow if i come back to my servicenow interface i can take a look at the responses that my vendor has submitted so using the bit site for vendor risk management application i'm now also able to bring in those mapped risk vectors from bitsight directly into the responses viewable from the vendor so again this looks very similar to what we saw in the vendor portal i can see where they have signed it i can see where their questions are so going to one of those first flagged questions where i can take a look to see what was the alignment like right here of the bid site risk vector to the question so it's great that in this case there is alignment there's parity they said yes and we see that they have an a in this risk vector grade but if there is a difference what we have done from bitsight is to flag those questions so they're very easy for you to see as you're going through and reviewing your customer your your vendor's responses i can see that they said yes here however i'm seeing that these risk vectors that are aligned to this question do not have grades that meet my risk tolerance so what i would probably do here is i want to create a follow-up task for the vendor and i'm going to create a task for a comment for my vendor to please provide mitigate other details on their mitigating controls i simply go ahead and save this back here up at the top and i can create that issue so now over here in my issues screen i can see i have two issues so i'm going to take a look at this one here where i created one earlier today and i'm asking my vendor for more information about that mitigating controls that then appears over in the servicenow vendor assessment portal under their issues so they can take action right here and respond to my question and concerns about this question so i can see that there's a task also associated to it requesting more documentation so i got more detail and visibility of the need for this documentation because the bit site risk vectors were mapped and shown right against the assessment in the servicenow platform itself super easy for the vendor to follow up on that so as you move through you your life cycle with a vendor this is great for onboarding however as you you you are working with them you likely want to continually monitor their their rating and see when you've had any sort of changes so you can actually see that in two ways one this is update this information here in servicenow is updated by default on a daily basis but also you can then bring in the alerts based on risk vector changes or overall grade changes or for that vendor right here that can also auto generate other issues or tests for the vendor to respond to such as this one right here that was created based on a warning where there was a percentage change for this organization gita are there other workflow processes that can be engaged based on this yep so you can set rules within servicenow as well to say if there's a certain point drop or a percentage of a point drop you can actually automate sending an assessment to your vendor to understand why that drop has happened so as part of the assessments tab we can automate those assessments as well as generating issues that we share with the vendor it's going to tailor based on what your organization does would you rather send an issue or an assessment but both are capable awesome i imagine that makes it a very efficient workflow process for vendor risk analysts definitely so the last thing i wanted to touch on real quick uh is showing you that you can see all of your risk vectors that come in from bitsight in one screen so if you want to see on a daily basis what is going on what's changed who do you need to engage with that's available for you right here as well as you can see your vendor risk issues populate into a single screen as well so you could take action from here to assign them to a vendor risk analyst or just go ahead and close it out but finally we wanted to touch on the dashboard because this brings a lot of great information right to your visit your your main point of visibility you can see how many organizations are in your portfolio how they are categorized but then to make your job easier even you can see some graphical information of the alerts that you've gotten from bitsight so how many are critical how many are warning or if you've had some vendors improve their performance that's awesome you may want to just reach out and say congratulations or thank you these can be broken down by critical alerts the last 30 days or warning alerts or if you want to look at this from a risk risk vector perspective you can also do that so knowing that botnets are uh very highly correlated to breach you likely want to see how many botnet infections have you gotten from the last 30 days and from what organizations so that's all brought in right here one easy screen that's populating the dashboard so very easy integration to utilize and work through throughout the life cycle of your vendor from that initial onboarding throughout its continuous monitoring of the performance with that vendor gita have you gotten any questions no but if anyone does have any questions feel free to post it in the chat or the q a and we'd be happy to answer before we wrap up so like all servicenow or integration this is available right off of the servicenow store you'd simply come out and do a search for bid site and then you can find the tiles that you would use to start the integration process right here so a question has come in uh do i need to pay for the integration ah great question so while you would have a subscription that you're paying for both servicenow and bitsight the integration itself is available at no charge super easy to get through the store simply have your servicenow admin login to hi and they can go ahead and get this application any other questions so the question has come in for very small companies that are not able to be added to bitsight can you still do an onboarding and recurring assessment with them via servicenow so definitely so you know if bitsite doesn't have the data around the organization that you're looking at we still have the ability to bring that organization into our vendor portfolio within servicenow and you can do an inherent tiering assessment through a questionnaire functionality instead of leveraging the bit site data and also you can still send assessments out to the vendor from a residual risk perspective and onboard them as necessary great questions but also i'd also like to say that please reach out to your bitsight team to make sure that we can or make a request to map that organization for the most part we're able to map organizations that have it at least a minimal internet footprint great thanks leslie um we have another question come in do i have to have any other servicenow products to use vrm and bitsight so the answer for that is no all you need to have is vrm and bitsight license and then you have access to the integration um there's other components of the servicenow platform that can add value from a vendor risk perspective like our vendor management workspace and itsm and so on but they're not necessary so back on the main page for a vendor i noticed that the field for risk rating was empty is this field usually populated so let's go and take a look at that one leslie so let me see ah so that risk rating field that you see there is because we just didn't go through the entire risk process we talked mainly about the tiering assessment piece where we would bring in bit site data or you know perform that inherent risk assessment but that risk rating is going to be populated based on the assessment results you receive back from the vendor and you've approved them there's an algorithm around how they answer the questions that is going to drive that rating that you see there so great question it will be populated in a proper full in production environment um all right so there is another question is vrm different from the grc module so great question it's so the grc module contains a number of different applications essentially so we have a policy and compliance module a risk module an audit module a business continuity module and we have the vendor risk module so it's a component of the grc portfolio but from a licensing perspective it is licensed separately from the rest of the grc suite charles has asked can you customize we have a oh sorry did i went off carl says can you uh customize your assessment questions yes so when we we actually have a number of assessments that come out of the box like the sig light the sig full um sig core that's licensed with the platform but any other questionnaires that you want to create you can you can bring in your own questions you can import them into service now so that's all flexible and you can have as many questions and assessments as you want from the bitsite side we can work with any assessment as well we only request that we get a blank copy of the assessment and then we'll map our risk records to it as appropriately perfect and then we have one more question um how many vendors can i manage so you can um there's no limitation to how many vendors you can manage you can bring all of the vendors across your organization into the vendor portfolio from a tracking perspective and you can choose which ones you want to actually send assessments to and there's no limitation to you know how many assessments can i send out how many types of assessments can i send them that can all be worked as part of the licensing so now there's another question is sig light a standard uh yep so it's a standard questionnaire it's standardized information gathering questionnaire by the santa fe group that covers a variety of topics like information security privacy business continuity and so on so a lot of our customers will use um the sig in some sort of capacity and then depending on maybe the tiering score associated with the vendor they'll choose do i want to send a light version or a full version of the sig itself uh there's another question sorry i'm like rapid fire with the questions but this is great um are the vrm licenses by the number of companies in the system and are they tiered by those connected in bitsight and those not able to connect so the vrm licensing and service now is specifically with how many vendors are you going to assess on an annual basis that will actually interact with the vendor portal so tiering does not play into the licensing count and the bit site integration wouldn't um interact with the licensing account either so another question is nist csf an option for a survey questionnaire yes definitely it's not an out of the box questionnaire that we have but what you can do is import the questions associated with the nist csf framework and you could tie that directly to our policy and compliance module so you can actually understand you know what are the compliance of my specific controls based on how a vendor answers a question for a specific application or an asset so something you can definitely do now once you do that and you're using the nist css in service now uh bitsite has already gone ahead and mapped the nist csf assessment so we do have this already available within our portal by default so as soon as you have that uploaded into servicenow having your vendors respond to it you can out of the box get this information from bitsite as well great thanks leslie any other questions uh before we wrap it up today yeah it looks like we have another one from charles how easy is it to track and collaborate as a team in servicenow that bitsight doesn't provide so basically bitsight can provide a lot of the information and the cyber risk information around the vendors and then we complement by actually kicking off the workflow so how do we assign tasks based on that information how do we assign issues how does it tie to the broader grc piece and which individuals need to get involved maybe to mitigate the risk around those vendors so that's where servicenow really comes into play and the idea is that these tasks and these issues can be combined with the typical tasks you would do from an i.t perspective when we look at traditional servicenow itil processes so it's just continuing what end users do on a daily basis and adding those tasks in there so work gets done faster we can track slas we can get notified if things aren't done sorry is there a question no i'm just wanting to check to make sure everyone could hear you i think my internet is a little bit unstable oh oh no problem yeah so i just wanted to emphasize that it's the same sort of work that we're doing but now we're just adding vendor risk into typical people's queues so there's another question in the chat is there an administration manual available for the plug-in the integration page doesn't seem to include that information so i think in the service now so if we go in the store i think under the documents there's the institute yeah so the installation guide will help you walk through the various screens that you need in order to configure the integration app within uh servicenow as far as administration uh not really a and a guide per se although we would certainly add that to our things that we could produce for you i would love to have this questioner work with their bitsight team and then i can engage with you directly walk you through the the workflows here and be happy to do to work with you one-on-one in that case perfect thanks leslie any other questions did we get the one from julie i think you just did the is there an administration manual available okay great all these great questions coming in it's like oh which one which one next good problem to have it is and i'd like to make a little reminder and i'll put the link in the chat as well again is that if you do um want to replay this recording today it is available on the link and you can always post questions anytime after the fact for our our experts to engage directly with you and it looks like julie did add to a question when the requests go out to vendors how do they respond so they respond through that vendor portal that leslie was showing in the demonstration they get notified they're able to log into the vendor portal itself and then what they can do is they can answer any of the assessments that you send them and answer the questions in detail we can also assign issues and tasks to them as well that they can work through and then each of these can have slas they can get notified if they're overdue and they can provide commentary and information above and beyond you know what's directly on the page any other questions you're welcome i think this has been fantastic today so i guess with that um please i do ask anybody who has more questions in the future after this recording to go ahead and um put it on that community link and i'll just share that i'll just share my screen so that everyone can also see that share it's right here here we go does everyone see that this is on the community all right so with that thank you all today and have a great afternoon thank you and thank you leslie for joining thank you