Welcome to The Innovation Today podcast where we speak with today's technology leaders about how they're innovating to stay ahead of changing industry Dynamics and reaching new levels of productivity and automation brought to you by service now your partner in digital transformation thank you for joining us today for another episode of The Innovation Today podcast I'm your host Jim Van field Innovation officer at service now today we're excited to welcome Melissa coo Global practice strategist for strategy risk and resilience at new rocket welcome Melissa thank you very much Jim I'm happy to be here well I'm really excited to jump into the topic of cyber risk but first can you tell us a little bit about you and your role please sure um as the strategist for security risk and resilience at new rocket I work very closely with our customers particularly our long-term and strategic clients um and helping make sure they're achieving their long-term goals looking at the big picture as well as keeping really close to what the industry is moving both within like a risk and resilience and a security operations perspective as well as in like Financial Services or energy or healthare and really helping bring what we learned from our existing clients and from the thousands of clients we've worked with to our newer clients so that they can learn from the mistakes we've made in the past and be able to have a more successful outcomes that's great and you've said in the past that one of the major pitfalls for risk is actually this the Myriad definitions of risk can you can you help us you know how often do you run into it what is it actually mean in in different contexts sure first of all I probably run into it all the time on Cyber risk and Technology risk um and the ultimate challenge is that the word risk in the English language means a lot of different things to different people so for example someone might say that I have an open vulnerability that poses a risk to my organization or I have port 8080 open and that poses a risk to my organization these are all things which pose risks the challenge is is that when you're starting to think about from a techn not from a technology but from an Enterprise perspective and an organizational perspective you need to start to be really clear as to what you mean when you say anything like you need a good and clear taxonomy so if someone says risk I shouldn't be guessing do you mean a vulnerability do you mean port 8080 do you mean the risk of of a tornado anything like that and usually what will happen is organizations have to start to get better Clarity on what they mean this is especially important when you're operationalizing your risk program um when you're using a tool like service now service now is black and white it has to be um a system it's more scientific while risk as a an industry is a lot more like a philosophy or an art operationalize your art you have to make it science which means you have to be very very clear that's what it is that's great yeah so then within that context now that you've helped us Define that the and I'm sure it this question depends from organization to organization but maybe you can give us a couple of examples of of different Industries and different organizations what what's keeping people up at night right now absolutely so the ever revolving like threat landscape is definitely keeping people up at night different cyber attacks the way that people are getting more creative always finding different holes and opportunities another thing is really having like the regulatory changes regulatory changes make a lot of put a lot of pressure on a lot of businesses the other thing I find that's really big is that people don't know what should keep them up at night and that's what keeps them up at night because they sit there going well am I going to get attacked because of a am I going to get a Cyber attack is my name going to be in the paper because somebody left a laptop on a bus like all of these things just not knowing stresses people up that makes a lot of sense so so what you're saying is that it's there can be a bit of a gray area that that it can be very contextualized yeah with risk this it's a complex topic can you give any specific examples for our listeners uh when an organization didn't move fast enough or or mve too fast and ignored the pitfalls in implementing service now or the risk program or like just just uh in terms of a a way that they it their risk level was threatened duee to either inactivity or moving too quickly and I am going somewhere with this okay I'm looking forward to that I think one of the the biggest examples is vulnerabilities being left open for too long so the average vulnerability takes over 100 days to be identified and the chances of that vulnerability actually being breached is usually like the biggest risk to organizations when you're starting to and when you actually have that breach it actually costs like 4 and a half million dollar per breach on average um an example of like going too fast usually that's when organizations are actually implementing they're solving one problem after another another after another without ever actually looking at the big picture so a good example is I was talking with a client recently they had um they'd implemented third- party risk management they'd implemented cyber risk they had implemented SE Ops and none of these things talk to each other and of course they're sitting there going what's the value of the platform all I'm getting is50 I'm still getting 15 different answers but instead of getting it from Excel I'm getting it from another product because there's no cohesive correct strategy correct so they stop they they don't look at the big picture they're just going it it's funny because risk is a proactive function it's meant to be proactive to get you ahead but if you implement risk reactively you never change the story right it's just whacka yeah exactly right yeah which is a lovely game actually it's my favorite it is quite fun unless you're in Risk insecurity yes correct correct in which case I want something to go whack those moles for me while I go be productive and sleep at night exactly exactly so where I'm going with this okay is I know that every listener out there is thinking about artificial intelligence and there is the whole gamut of people moving too slow people moving too fast and for a variety of reasons but for this particular conversation the risk threshold around artificial intelligence I'm moving too slow I'm moving too fast right so what is AI within this context and what's important from a risk standpoint if I'm and what I'm trying to do is I'm I'm trying to ask you the questions that I feel like leaders of of organizations would want to know right when it comes to risk as it applies to AI because we know AI is a great opportunity absolutely and it is a little B and I've used this metaphor before where I it is a very very pretty Hammer looking for a nail but we can we're confident enough that it is going to be a g a business changing a transformational tool absolutely but to your expertise we really need to be thinking about the risk side of this absolutely so what's on your mind how are you advising people with this topic the first thing I recommend to everybody is to think about AI governance before you really start to go into AI you really should be looking at what are the potential threats that you could be exposing Yourself by implementing AI what is the value of implementing AI versus the risk that you're exposing yourself to and is it the right balance and also do you have a process to make sure that one your organization can still be make quick decisions and be agile and dynamic but is also making good decisions I talk a lot about responsible Innovation as being like a really critical thing you have to do organizations can like it used to be that you could just go and experiment and you would try something out and everything would be okay because the worst thing that could happen is your paperwork just doesn't work out now that we're talking about technology your failures can be exposed very quickly by an enterprising bad actor so it's making sure that you are move you're enabling business transformation but also doing it so responsibly thinking about what could go wrong and is this actually worth it and what is what is what how much am I buying into hype yeah yeah and that's a great segue because I wanted to ask you also a lot of people shy away from what we're talking about a risk as and you and I you you and I talked about this this is what really grabs me because when ever I talk about risk it is in a much more not inside of a risk operations organization but you talk about risk as a business enabler you talk about it as an opportunity so tell us more about that absolutely so if you make a business change and you go after a piece of Business Without analyzing the likelihood and impact of something going wrong you are more likely to fail and have an a huge negative impact to your business from a reputational perspective from a revenue perspective from a board perspective to your personal perspective than if you took just a little bit longer to analyze and say okay what am I going to accomplish what is the return on investment that I'm anticipating what could go wrong and how am I going to avoid it from happening and keep it from happening once I've done that am I am I actually making the right decision and it it's it's just about not moving slowly it's about moving with care it's about like not jumping off the cliff without looking and I think that's an incredibly important part of doing business especially in this day and age where if you do something wrong it's Expos like I keep talking about reputational loss but like if you do something wrong it's exposed immediately absolutely um and if you gain trust in droplets and you lose them in buckets that's Scott Ferguson from the product marketing yes sorry product team he says that MC Derm likes quoting it as well it's absolutely true yeah and it's critical like if you lose the trust of your your people like if you lose the trust of your customers or your employees you're done that's it yeah but I as you were speaking a metaphor came to mind jumping out of a plane is dangerous or lethal right wearing a parachute is innovative and fun yes so you there's no reason you can't jump out of a parachute or jump out of a plane make sure you're wearing a parachute exactly I'm not saying don't jump out of the plane I'm saying take the training and wear a parachute that's right right well I guess my last pieces is there anything else that we haven't talked about yet that you feel like would be valuable for our listeners something I'd like to talk about AI in risk and in security for a second yes I love that topic absolutely to tell me more about maybe I'm preempting this in the wrong direction no I'm interest this is something I'm I'm really interested in asking risk experts is AI as a risk enablement function it absolutely can be I do think that there's a series of steps that have to happen first okay um one of the biggest challenges with risk management is when it it's it's not always operationalized it's often in Excel it's not always in a system and like I said sometimes even if it's in a system the data is disparate and not communicating together AI does need a baseline of data and it needs data with High Fidelity yes exactly in it but I do think that AI is going to be a catalyst for change in Risk because to get the benefits of artificial intelligence we're going to have to step up our data game and that's going to pay dividends and that you're probably going to be able to have like something happen 48 being open on a computer that I I don't know why I'm I'm obsessed with that example it's just super simple I'm stealing it excellent support 8080 is open on a computer it's part of a business unit that has over a 100 computers that have port 8080 open you just exceeded a risk threshold you now have to redo a risk assessment on that business unit that that's the Nana of risk management and it's not often achieved because the data Fidelity just never gets there right I think AI is going to get us there and then it's also going to start to be able to do things like look at data and say what are the risks we're not looking for what are the predictors of a bad business decision that's against someone's interest to bring up because the biggest in my mind the biggest risk to organizations is when there's something that is wrong it is against somebody's interest to bring up yeah usually like almost all of the major risk exposures that I've seen I can trace it back to you know what no one wanted to say it right I've heard organizations change risk indicators from from red to Green just by changing the threshold because they didn't want to report it no right and so AI can be the non the the unbiased ironically the UN ironically the unbiased like overse overseer that makes it sound a little bit too ter the UN the unbiased uh Observer and action yes for for understanding the risk and it doesn't have feelings to make those decisions it's not afraid of the data no it has no ego it has no it's not worried about its bonus um so long as it's properly trained it could start to identify that and that will be for the betterment of the organizations and their customers and their employees that's great and that's what I'm super excited to see so are there opportunities do you think for artificial intelligence as basically a co-function of risk where it is oper ating in in tandem with the people I guess this is this is the example you're already alluding to right yeah it's using predictive intelligence to be able to say listen based upon what I'm seeing in 3 months 6 months Etc there might be a problem so maybe you should look at it now rather than look at it when we're names in the paper it could also identify things that your risk teams wouldn't necessarily be able to identify so for example um something I've been thinking about is control indic allows you to do continuous monitoring and service now but your compliance teams don't always know if new things are coming into service now so what if you had an analysis going through going what what where is our data what is the data telling us and can we now automate this control and how would we automate the control and recommend it and provide recommendations so you're doing something that humans would never have time to do anyways right but would be a huge timesaver once you've done it and if you can contextualize what's important to the humans in the process it can be making better and better choices and then train it on what good looks like right and then yeah and what bad looks like yeah exactly yes because that's probably even more important they like this is the bad thing that happened now try and make it never happen again good luck well as always M it is such a joy to talk to you thank you so much for this I learned something every Dar excellent thank you so much for having me Jim is great it's my pleasure and thank you to all our listeners Please Subscribe and share if you like what you heard today and be sure to join us for our next episode [Music]