application if this is your first time joining us this is just the latest in what's been many ask the expert sessions on our irm ecosystem here at servicenow including product enhancements new solutions and partner applications my name is joe montgomery i'm a solution architect here at servicenow focusing specifically on the risk management applications i've been in the integrated risk management space for over a decade now most of that time was spent in implementations of grc programs at different organizations and i've been with servicenow for a little bit over a year now i'm pleased to be joined by kerry wise from risklands carey do you want to go ahead and give a quick introduction of yourself absolutely thanks joe my name is carrie wise i am the head of partner professional services here at risk lens i've been in the information security field for over 20 years i've been at risk lens specializing in risk quantification for over three years and i also sit as the co-chairman of the fair institute's federal government chapter and i'm really happy to be here today and talk about how risk quantification can enable and increase the value of an organization when taking advantage of the risk lens and servicenow grc integration fantastic thank you carrie so servicenow's integrated risk solution is a suite of applications covering policy and compliance audit business continuity vendor risk and our topic today risk management we do also provide a handful of applications and we're constantly coming out with enhancements and new applications that are available on the servicenow store a few of the recent examples of those are regulatory change management resilience an application to allow organizations to better manage the nist risk management framework so we're constantly innovating we're constantly enhancing our applications and rolling those out to the store all of these solutions are powered by and built on the servicenow platform what this means is that we take advantage of all the functionality provided by the servicenow platform things like flow designer service portals mobility cmdb as well as the ability to seamlessly integrate into the other servicenow applications uh including it service management it operations management etc so it really is a full integrated risk management solution built on the platform that provide the capabilities and and the ability to really manage that enterprise view of risk now we do have a fantastic partner ecosystem that surround our irm solutions and that you know it that includes advisory partners implementation partners content partners and technology partners our technology partners provide solutions that extend the servicenow capabilities in in our risk management space um a perfect example of that is the leveraging the fair methodology and you'll see risk lens there as a top technology partner of ours so while our topic today is the new integration that we've released between the latest version of wristlands and servicenow risk management our relationship with risk lens as a technology partner actually goes back a few years now to i believe the madrid release of service now so we're very excited to continue that partnership with risklands and cary i'm excited that you joined us today to provide some expertise and a walk-through of of the risklands platform so with that i'll hand it hand it over to carrie to talk through risk lens and fair a little bit excellent thanks joe um so what i want to do is just start off by talking about fair and why fair why use the fair standard um within risk uh you know the fair stand if you're not familiar with it it is a industry standard and what it does is it enables organizations to quantify your risk and if you look at the fair model uh what it does is it really allows a a framework to decompose risk typically we think of risk as frequency times um or likelihood times impact and what we do is with fairs we take that and we look at you know how often do these events happen these loss events happen and then should they occur what is that financial impact and we look at that in terms of lost magnitude and what we see here is by uh decomposing risk into these different factors it allows us to apply critical thinking uh to an area that historically uh typically lacks that uh the co-for the founder of fair jack jones he often refers to this as the you know the finger in the air uh qualitative measurement and that was really the impetus of the creation of fair is to be able to dive in a bit deeper and explain uh to the decision makers how much risk we actually have in terms that the business speaks um so financial terms so feel the next slide joe what i want to do is talk about risk lens and how we leverage fare so what we do is risk lens continues to elevate fair to higher levels by combining an industry-leading platform with world-class services to deliver solutions for decisions for decision makers worldwide okay the way that we do this um there are many different uh values to get out of risk lens if we look at the platform um this can be done by rapid assessments uh taking an analysis that would typically take months if not weeks to do and condensing that down into approximately 15 to 30 minutes to do analysis and today i'm going to show you how we would do that um using a guided workflow utilizing data libraries within the risk ones platform that are populated with industry data we also uh leverage our automated computational engine to be able to crunch the numbers uh you know this takes it well beyond other means and other types of tools that organizations may have been using and that you can't quantify risk by creating a program a systematic way to measure and evaluate risk is really what the risk lens platform is all about and of course um being able to quantify risk that's great but you need a way to translate that and understand it and that's where our reporting comes into play and then lastly to be able to really take advantage of the response platform we are here today talking about the grc api and this is how we integrate with service now and one of the things that we're going to do today is show you how you can take a risk within your grc and via the api type that over to risk lens conductor analysis get your quantitative results and take a look at some of the reporting and what that actually looks like feeding back into your service now grc think of the next slide joe thank you so when we look at risk lens to summarize it's really about enabling decisions and decision makers providing data to make those decisions it allows you to justify prioritizing manage the cyber security investment decisions and risks within a company dealing with digital growth and transformation especially during times where you may be financially strapped and you want to actually understand where is your exposure um your financial exposure within your organization to best make those financial investment decisions now these decisions and risk lens um the way that it helps support those it helps on many different levels if we look here we can see just a short example of how risk lens enables decision makers at the strategic the operational and also the tactical level so within an organization thinking about the different workflows and processes and risks and um you know the decisions that need to be made within an organization at those three levels you know how much information how much more information do we need or could we use to help make those decisions and justify those decisions okay and that's really what we're going to be talking about and showing you today back to you joe thank you yeah sure um so real quick before we jump into risk lens in a live environment i just wanted to highlight kind of how that process would start and would initiate from the servicenow side um so you can see we are on a risk the loss of confidentiality for a specific entity which is our crown jewel database here this is a risk an entry into the risk register within the risk management application and that you'll notice because of the the plug-in the integration that we have from risk lens that there is a subscribe to risk lens action at the top a button to select this is all that you need to do to initiate the risk assessment within risk lens so the click of a button will send this through the api it will create that risk assessment for you on the risk lens side and allow you to complete that analysis that kerry will will walk us through here in a moment so the setup is incredibly simple we'll talk a little bit later about the store and and how we would get that and then bringing the results back in the analysis results back into servicenow and how you can use that information to make the decisions that you need to make but just highlighting that through your risk register it is the click of a button to be able to initiate that request for any risk you want to perform that quantitative analysis on um so with that carrie you can go ahead and and uh take the screen and we'll jump into risk lens here excellent thanks joe before i do that i see a question that came in uh so we will be taking questions live here as we see questions coming in we'll try to view those and respond so i would like to respond because i think this is a timely question the question was what is the difference between risk lens fare and open fare great question so let me start with open fare open ferret is the standard that is the model which everybody saw earlier on and what i'm about to show is risk lens now risk lens leverages the fair model which is an open model it is held by an open group you get trained and certified in it but that does not mean that you are um you are obligated to use wrist lines wrist lens uses fare as an open standard for our platform to conduct the analysis as a baseline for the analysis and what i'm about to show you is how risk lens goes uh much above and beyond just that of fair um i'm gonna grab the screen from here joe so we're gonna show you how we do that okay and you'll see some uh similarities here between uh the way that the risk lens environment is set up and fair and i'll show you what that looks like okay so as you saw on the screen before where joe had the box uh to you know for wrist lines where you need to click what's going to happen is that's going to generate an analysis uh within the risk lens platform if that analysis has already been generated but you're updating it you'll see here a timeline of how the risk has changed over time with that new update it's going to create a draft for you we can go into that draft and take a look at some of the questions and some of the data that you would look to collect and some of the questions you'd look to answer as a way to get a quantitative result of that risk so first and foremost within the servicenow platform to get to this point what it does is it uses the fair construct as far as scoping of a loss event that means having an asset defined so in this analysis we can see that the asset is a crown jewel database within an organization okay another part of the scope here is knowing who is the threat actor that we are concerned about for this particular scenario so in this one we can see it's an external actor that we are concerned about who would um breach the confidentiality of this crown jewel database okay so once we have an analysis scoped using fare we're able to analyze that within the risk lens platform so i'm gonna go here to workshops and just kind of walk through and show everyone here how um simple it is to select some of the data we talked about how there's industry data within the risk lens platform well within here i'm going to show you how we can leverage that okay so you can see here there's different workshop modes where to do a a quick 15 30 minute analysis we could leverage the triage function the triage function is going to ask very simple questions and guide you through doing a high level estimation essentially of that loss event frequency now it's going to do that by asking if this has occurred in the past so as a frame of reference do you know if this has happened you answer yes or no and you can select how often from a drop down menu and that's going to populate your range because when we do a fair analysis we use ranges to account for uncertainty um and then we we're gonna ask you looking forward because we're forecasting risk if you would expect this to happen more frequently or less frequently or stay about the same and then to which degree would you expect that to change okay so you have the opportunity to do that um just to get a rough estimation and the reason for doing this is to let's first get an understanding of our risk landscape i often say that if you want to understand how much risk you have first you have to understand what risk you have so once you understand what risk you have a typical first a good first exercise is to evaluate a rough estimation essentially to determine if this risk is uh quote unquote high enough or impactful enough to the organization to do something about and this is a way of prioritizing your risks how do you prioritize which high risk is higher than another high or you know which red is more red than the other red if we're referring to heat maps so this is a way to do it okay this is a way to prioritize these so we can triage this and then that's going to take care of that left-hand side of the fair model where we talk about frequency so you can see here it's laid out to the fair model where we have frequency so it's right about frequency and vulnerability and then we can move over to the magnitude side where we start to quantify the financial impact of this loss event now this loss event for this scenario again is the breach of this organization's crown jewel database that's holding all the information um it's they're concerned about it being breached by a external party uh external threat so we would decompose that and say well how would they do it and we would estimate uh walking through what controls would come into play to determine roughly how often we expect this to happen and we do want to take into account controls that would help prevent that how efficient are these controls and we can do some high level estimations okay now one of the things once um we get to the magnitude side a feature that is available throughout the entire uh platform here is something called data helpers and data helpers are something that we subscribe to and what this does is this enables us to select data instead of collecting data a lot of this information is pre-populated within the risk lens instance um as part of that industry data what we can do here is we can look at a breach instant response uh calculator help i'm sorry data helper here and we can select what type of an event is this uh because this is a crown jewel database would we suspect this to be an all hands on deck type of response um or is it significant um you know if we're looking at another uh incident that maybe is internal it's not going to be public well then we would have a non-public event here and then the correlated associated associated person hours for responding to that event okay so we can subscribe to that and then same thing down with the employee wage we're going to leverage the risk lens computational engine instead of doing this by hand or in any other type of uh say uh just a generic basic calculator we're going to leverage money carlo and some other factors here so we can subscribe to these data helpers and we're going to go ahead and use this because it's going to be uh the majority of it employees are going to respond to this and do the forensics and of course the incident response so that's that takes care of the primary loss magnitude if you're familiar with fair uh we break that financial uh impact that exposure down into primary and secondary forms of loss here so we can go ahead and account for all the primary losses that we would encounter as part of this loss event and then we can also go to the secondary loss magnitude tab here and we can leverage some of our loss tables now we can use a conjunction of our data helpers and our loss tables for the quantification of this analysis so as you see we have data helpers and we subscribe to all these different questions when we get to the financial impact of a breach we see many different factors the main driver of this is of course the volume of records but also the type of records now the type of records are going to indicate which regulators is the organization subject to so for instance if the total makeup of the database is between you know five to fifty million and we can see that here five to fifty million and that was brought in by the actual data stored within the platform within the asset itself so we can take a look at the asset the crown jewel database and see that when this asset was added um there's already conversations with the business owner to understand how many records would be breached if an external actor were able to compromise this asset so we can subscribe to that you can also change that you can also edit these okay now the value of editing your data helpers is when you do that when you go in and let's say you were to edit a data helper or the data helper associated with the asset itself it will automatically populate to all the scenarios that are subscribed to that data helper which means instead as you're getting updates and let's say um this database after doing the analysis it was determined that it should not have that many records and there's an effort to um let's say first come up with and identify a record retention policy or if one was in place and it just wasn't being adhered to for this asset um there's a project to go ahead and clean up clean up some of those old records you'd be able to go in and update that now historically you would have to go in and change every single analysis and say well we no longer have 50 million instead we have half of that we will clean up half of those by using the data helper what that's going to do is that's going to make the change to all the scenarios and then update that timeline like you saw early on at the top of the analysis here so we'll automatically update that risk exposure that loss exposure and with the updated values okay we can also take a look at what type of data is in the database so we can see here that approximately 20 percent of these 50 million records are payment card information or pci so you therefore be subject to pci regulation for this database as well as 80 of those 50 million records are pii so depending on where you're doing business you may be subject to say gdpr or other types of regulations that serve to protect personally identifiable information the reason this is important is because those are the regulators that are going to impose certain uh fines and judgments against you you know we unfortunately have many uh samples historical examples of organizations whose information has been breached and there are other companies out there who look at this historical data and compile it and what we do as a company is we subscribe to that industry data and our data science team aggregates the data in a way that is usable uh for the analysis by our clients so that way all you have to do is answer these very simple questions and leverage the data that um i was just referring to being stored in the loss tables to do the calculations for you okay we can also see here uh there's a little bit of contractual data some corporate sensitive data in there as well okay um and you are able to configure what is the value of your corporate sensitive data whether you have a data classification policy or not if you do have one then this is pretty easy and you can look at you know what data do we consider as corporate sensitive data um and if you don't have one this is usually a good starting point for those discussions okay and if your organization is in different industries and maybe you have some intellectual property or uh you are in the educational industry we have some spaces for that as well now what's going to happen after you fill these out you're going to get your green checks along the way you can run the analysis and start getting some values now this is a single analysis what i want to do is i want to show you how this single analysis can play into an overall view within an organization so this is one analysis of uh you know a handful here to really show what are the top risks for the organization okay this scenario just plays one part obviously you have many many risks within your risk register in your grc so how can we aggregate these together uh you're able to aggregate however many scenarios you want or make sense and then you can be presented with a report here that will show you what is your most severe event across your entire organization uh depending on how you do the aggregation we've done um aggregation at the enterprise level to show uh you know complete enterprise risk you can also break this down by let's say business unit or portfolios to show what is your most severe event for maybe your business unit or your department or the entire enterprise and how does that compare to other risks within the organization or the business unit how do these compare to your risk threshold this is something that a lot of organizations talk about risk appetite and what is the risk appetite what is that number and oftentimes if you are measuring risk by putting the wet finger in the air yeah and coming up with high medium or low or colors it's really hard to put a number to a risk appetite if you're not measuring risk uh financially or quantitatively so here by running analyses you're able to get a better understanding of your financial exposure within the organization which will then help determine what your risk threshold should be and as you're doing that you can even run hypotheticals to say well what if it's 5 million maybe that's our risk threshold or maybe if you're a smaller organization maybe it's half a million okay this up this is very dynamic this reporting as you can see i can change the number here i can decide uh you know what value do i want to report by when we talk about quantitative analysis we use ranges as inputs which means we get ranges as outputs you know a particular breach i don't think anybody could say very confidently that if you're a breach this is exactly how much it's going to cost you uh typically it's you know you're going to be in the ballpark of this area and that's exactly what this does but this does it leveraging monte carlo and some other mathematical equations to express this in a financial term that makes sense and in a way that decision makers are able to digest this information to make better decisions okay and ultimately be able to compare these scenarios to say where do we need to focus our time our resources and our uh money for our investments so we can see here if i take a look at the aggregate report we can see the total aggregation we have a lost exceedance curve we can also take a look at our exposure by asset so if we have a enterprise analysis or a analysis for a business unit we can take a look and see which asset is carrying the most amount of exposure this would probably a good place to look at investing any sort of uh you know financial commitment for any sort of technological control to reduce the risk you know if you have a security you spend that um you're coming up to make those decisions and you're trying to figure out where should we invest this money this is a really good way to look at risk and say well maybe it's a crown jewel database because this is where you have the most amount of exposure and you can decompose where that is coming from and understand how is that loss going to materialize and then therefore look at remediation efforts to reduce that risk exposure okay we can also take a look at this by threat communities so if you have a mix of different threat communities whether it's external actors you can break that down by different types of groups if uh you're maybe concerned about nation states attacking you or special interest groups or maybe general hackers uh just kind of general ransomware type of things maybe privileged insiders you know that's been a concern for many many years so how much exposure do we have from insiders uh you know causing harm to the organization we can take a look at that if you define the method so let's say ransomware let's say social engineering or code exploitation where where should we look at maybe emphasizing some security awareness training how would we do that what are some of the methods now because the method is not a required component of a scope um you're not required to put it into risk lens either so if you don't do that you're going to something like this it says no method specified now i often recommend to our clients to define a method uh that's just another data point for aggregation and then therefore decision making uh to help get a better view into the exposure within the organization okay and we can also look at the different effects of course confidentiality availability and integrity and then the very last one here that i'd like to point out are the forms of loss we talked about if you're familiar with fair breaks it down in primary and secondary and then within those um phase of loss you have these forms of law so think of buckets you know how is lost in materialize we see here that the the main one for primary is response but then the majority of our financial fallout is going to come from a reputational impact due to our organization's crown jewel database being breached you know we have to notify regulators and customers good chance that you're going to be in the uh the news the media and social media and that could damage your reputation so what does that look like financially uh what sort of fines and judgments um would the regulators impose upon you uh what sort of response are you subject to what sort of regulatory response or customer response think um you know letting them know notif notification of the breach uh remediations but also more importantly credit monitoring doing right by the customer what what is the organization going to do to value and show the value of that relationship with the customers all of those components of responding to a loss event are all captured here and allowed to be decomposed using the fair model and of course the risk lens platform to do so so with that um once you get the results from these scenarios so if we go back into the crown jewel database here and where to run our scenario we can see we're going to get some financial results here we can take a look at the reports for all the scenarios aggregated or individually and we can see what that looks like here so how much loss exposure do we have associated with this individual scenario and we can take a look and see really what what is the driver of this if i were to look at this as a cso i would probably look at the frequency of these breaches and say that's unacceptable we have to do something to shore up our defenses to prevent the um malicious external actors from getting into the organization which they can then force steal the data okay so once you have these financial results they can be ported back into the servicenow platform as part of your overall grc so joe if you want to pick it up from there and show everyone what that looks like perfect thanks um carrie as i transition and take the screen back quick question for you in regards to you know quantitative analysis is is something that i think a lot of organizations are looking to mature into can you speak to kind of the you know maybe baby steps that organizations typically take that you would see as far as transitioning from a qualitative analysis to a quantitative analysis is it identifying those top assets that you want to analyze or is it the top risk i guess can you just speak to that for a minute here absolutely and that's a great question um essentially how do we start where do we begin because oftentimes quantification seems overwhelming right um what we recommend is really what i referenced earlier by saying if you want to know how much risk you have you need to know what risk you have so i would recommend first looking at a risk register looking at and wherever that is whether that's in a spreadsheet or in a grc platform or maybe it's just you know held in the mind of um the cso or someone um what we would do is get those translate those into loss events and do a triage uh within a platform as a way to quantify those get some get the numbers which we can then prioritize based on that financial exposure and that gives you a place to start doing a deeper dive and understanding what are the components of that risk and how can we change those how can we kind of modify those now as you're doing that part of your other question or the other component of this question is how do we make this shift towards quantification so if that's what you do to begin quantification what i would recommend doing is augmenting um and supplementing the way that you're currently reporting so if you're currently reporting qualitatively using heat maps or scoring um i would just start doing these analyses and supplement it with that you know this is a high this is what we rate it before and after quantifying this this is how my how much exposure we have and then you can actually have a more substantial conversation around um you know the actual exposure and less around whether it should be rated as a high or red or not yeah okay great fantastic okay so just to pull this back into you know service now once you once you've leveraged risk lens you've performed that analysis what are we going to do with those results so through the api you can define and it can be a near real-time transfer of information but you can see on this same record that we saw earlier from the servicenow side that we have we have the risk lens subscription enabled and we've actually pulled back information from that analysis into this specific risk so we can see some of those values we're pulling back our minimum loss exposure average most likely as well as our upper 90 and our lower 10. so what are those values that we want to bring back and then we certainly will will provide a link directly back to that risk and risk assessment that scenario that we performed that really drove these results so the question then becomes okay we've gone through this quantitative analysis what do i you know how am i going to use this information to really drive those decisions that i'm going to make as far as you know where do i want to spend my money from a from a control perspective what what actions do i need to take what might i be willing to accept so we leverage those results that we pull back from risk lens in a few different ways and we just plug them into the greater enterprise works management picture so we mentioned a little bit of like pulling those into our overall scores and then determining you know what are we going to do about it so through the standard risk um you know risk life cycle within servicenow where we go through the assessment and we gather those results from risk lens or from the business owner any information that we have and then it becomes you know what are we going to do about it so are we going to mitigate are we going to add additional controls do we need to transfer that risk with an insurance policy it's all about taking that information that we have and with risk lens we get that that detailed level of information on what this exposure is to my business and we want to take that information and ultimately make sound businesses business decisions that are reasonable based on the financial exposure that we have um so you know taking this individual risk that we've analyzed and kind of you know blowing out that picture to more of the enterprise risk view [Music] you can just see across your entire organization you know where does my risk sit so kind of to the point and i asked the question carrie about getting you know getting started and how might an organization go from quantitative to qualitative and servicenow actually allows you to do that so you know on these dashboards that you may or may not have seen before a lot of you know these initial reports are geared around those you know high medium low qualitative type of values we can plot that on a heat map to see where again across the entire organization those high risk might sit but as you get into that quantitative level of analysis and we want to actually assign dollar values to what that risk means to your business we have that ability to report here as well so looking at my organization where do i have the greatest risk exposure you know and where do i need to focus my time and money from a control perspective um so you can you know i hope that paints a picture of really how we can take that information provided from the risk lens analysis from that fair analysis and leverage it in um the greater enterprise risk management picture as we integrate into other solutions etc within servicenow and how valuable that that information can really be so one last thing here let me jump back to the slide deck so that integration just kind of round out the conversation here that integration is available on the servicenow store so this is a screen grab of the store and you can go download it you can see that the integration itself does not come with a charge so if you are a current risk lens owner and a servicenow owner then you can you can take a look at what that means and there's a lot of additional information on the supporting links and documents as far as some additional detail around around the integration and around the setup but very easy to be able to install this from the store set it up and and kind of start performing those analysis on the wristling side um so with that i think maybe i know carrie there was a question that i wanted to bring up around risk lens for enterprise risk kind of extending beyond cyber risk is that something you can speak to yes absolutely um so the focus is cyber risk however you know fair and risk ones is agnostic to what type of risk you want to quantify we have done many scenarios i've done many scenarios personally around physical security supply chain operational so absolutely it can be applied to any type of risk fantastic okay so if you um are looking for additional information you can always visit servicenow.com risk like i mentioned there's a lot of information out there about the integration itself there's a white paper that details it a little bit further and i think one of the questions that we got that i answered in the question section of the zoom was will this be recorded and will you have access to it and the answer is certainly yes we haven't ask the experts page on youtube that will have this recording as well as all of the um previous ask the expert sessions that we have done um and that you know that dates back to last year and there's a lot of good content you know on the servicenow side we are quickly rolling out applications and enhancements to applications and so that is a great spot to go look and just kind of see what you know what's out there and what are some of those enhancements or product solutions that we've been rolling out lately so with that um are there i guess are there any questions um in the chat or if anyone wants to come off mute to ask a question um we can facilitate i think you got the one that was the risk fair and open fair correct yeah i believe we answered kerry answered that one live yep all right again i've um went ahead and put today's link um in the in the chat uh so that you all can go and look at the recording as well share it with your colleagues um and then post more questions there you're open to post questions on the community anytime post your own questions post them on the in the events today and our experts will um come back and and engage with you on those um so with that i will hopefully we'll be getting our next sc experts published soon as soon as we get them scheduled and you know stay tuned for them so with that thank you all for joining us today