[Music] I got a good good a good I got a good good a good feeling yeah I'm up on the cloud and coming back [Music] down I got a feel good a good feeling yeah [Music] yeah on the CL and coming back down Feel It In My Bones got to shake it out I'm going harder than before let me he sh I run around the whole world chasing that thrill from the bottom to the top of f to knock it out I'm about the blow ready on the go steady shining brighter than I ever did before when I'm up in the clouds and I ain't coming down no I ain't coming down oh no I'm the Talk of the Town I know you feeling it now come on and move to the sound and keep it going keep it going and turn it up [Music] loud I got a good good a good feeling yeah I'm up on the CL ain't coming back [Music] down I got a feel good a good feeling yeah [Music] yeah on the CL and coming back down at the tip of my toes feeling in my head and my clothes oh Lord ain't nothing holding me back so I don't got to heal that smack no more play it l when I walk in the door I got the pedal push down to the floor and about to bring it home yeah time to let him know yeah it's time to let them know so let's go I'm the of the town I know you feel it now come on and move to the sound and keep it going keep it going and turn it up [Music] loud I got a good good a good feeling yeah I'm up on the CL ain't coming back [Music] down I got to feel good a good feeling yeah [Music] all right thank you so much for joining the webinar today we're very excited to be presenting quantifying risk in financial terms with threat connect and service now um I think you're going to find this very informative please hang with us we've got an amazing demo later on and some wonderful information before that and after that I wanted to do a little bit of housekeeping before we get started um you have been automatically placed on mute but we do want to make this interactive so please use the Q&A panel at the bottom to ask your questions our presenters are really interested in getting to know what it is you're looking for what you're looking what you're looking to do um and they want to answer your questions so please use that Q&A panel um the session is going to be recorded and it will be available on a YouTube playlist um I will put the link in the chat a little bit later um also we have additional webinars coming up so please um look in the chat because I'll be putting a link to register for our what's new webinars that will be coming out in August talking about all of our new features which we really want you guys to be able to to see and to share with you um after the session ends you know stick around for a minute or two there will be a short survey um we really appreciate you filling it out because it helps us figure out new topics for you um that you're interested in hearing more about a little bit later on and with that I want to introduce our speakers Carrie do you want to uh start yeah thanks Teresa um thank you for everyone for joining and for those of you watching recording thank you for taking the time my name is Carrie wise I'm the director of Market development for our risk product here at threat connect uh I've been with the company for uh about a year and a half now where I get to work with Partners like service now to expand cyber risk quantification capabilities into their platforms like we're going to take a look at today awesome oh thank you Teresa so hi everybody I'm Gea Dom Davis I'm a sen senior advisory solution architect here at service now for our risk products so I work with a lot of different customers on how the actual integrated risk management product works how it looks I do demos poc's for customers and I've been with the company for about seven years both in the risk and the security space so it's great to meet you all and I think you're going to find that both of these uh speakers have a lot of experience and are going to be able to share some really really interesting um and very useful information and with that we're going to turn and over to Carrie to uh walk through the agenda excellent thank you Teresa so today what we're going to do is we're going to um lay out this webinar in three sections right first we're going to talk about identifying and assessing cyber risk um and this is all within service now right and then we're going to get into how the threat connect RQ app helps automate cyberis quantification priorization and in my opinion I would say most importantly mitigation recommendations so not only quantifying risk but you're going to get recommendations on what to do um from there we're going to get into the platform itself we're going to show you the app with a a highle demo kind of show you how it works and some of those values that you're going to get back from it um and then we're going to move into that final section which is communicating and Reporting cyber risk using quantification right what are the benefits of that and then what could that look like within service now um we can wrap it up with questions at the end but as Teresa said if anybody has any questions as we're going through it please use that Q&A function um you'll find the the button uh in your menu there please feel free to submit questions we will be Fielding those as we go we' like to have a a more Dynamic dialogue as things are uh progressing through the webinar so please feel free to use that function right so kicking it off we're going to start with how you effectively identify and assess cyber risk but first we're going to break this down into three sections we're going to talk about some of the current problems what is the solution to that problem and how does the threatconnect RQ app enhance your service now irm environment ke over to you thanks Carrie so just level setting the problem that we're seeing with a lot of different Risk Managers in the industry risk is accelerating at a pace you know never seen before especially after covid and Risk Managers have a lot of different areas that they need to consider one of them is you know as all of these different businesses accelerate their digital transformation that's creating more inputs more outputs more integration so how do we assess the risk of those different areas how do we manage that how do we communicate that the Cyber risk landscape continues to evolve um we look at vulnerabilities we look at configuration issues how do we track those how do we have proper change management around those um as we all saw last week with what happened when think about privacy um more and more employees and customers are fixated on you know how are you using my data how is that protected do you need that data that you're collecting and then we have expanding regulations in a number of different areas even Beyond cyber risk so how are we tracking those regulations how are we testing those controls and how are we having accountability on Gathering the evidence having the proper testing procedures and so on um so slide Carrie please thank you and what we're seeing is that you know every team in the organization is concerned about cyber risk whether it's Finance whether it's facilities whether it's legal and because they all have different areas of risk that they're covering in their specific silos this data is typically kept in that Silo and not shared across the organization so when we think at an executive level how are we actually supposed to be budgeting how are we resourcing um we we can't make proper decisions because everybody's using their own taxonomy and they're having their own method on how they assess security risk and cyber risk in their different areas um thank you Carrie so having these silos is creating more than just you know core and delayed visibility from a decision-making perspective it's causing you know a lot of different types of cost whe whether it's the purchasing of technology or internal folks spending more Cycles than they should for risk management we're more focusing on reactive decision-making versus proactive decision making so we're just trying to keep up with what we can and doing the best that we can with outdated data and you know um un you know Consolidated data when we are making those decisions we're seeing poor adoption from stakeholders so so if we have Technologies and processes that are outdated and Legacy people don't want to log into systems and start processes because that's going to give them more work and they'd rather you know figure out their own way to solve these different types of problems and then we have inade adequate Control Management so because we have to adhere to these different regulations and we have to test controls but if it's all in different systems we're doing controls redundantly so we're testing Tes in the same control over and over we don't have the proper Assurance on how that control was managed and tested so we don't really have reassurance that we're meeting these different regulations that we're responsible for so specifically talking about the service now platform as an option um we really focus on having a platform for cross functional Communications so if end users are already using service now for things like you know I need to order a new laptop or I'm um trying to check out what my holiday schedule is this is a platform they're already familiar with a portal they're already familiar with so GRC or integrated risk activities is just another action that they may be familiar with that they can do in that portal and then we can engage different teams throughout the workflow easily through that similar interface to be able to share information across different teams depending on the severity of that information and how urgently it needs to be shared across those different teams as well and one thing I want to highlight also is that if you're using service now for things like it operations management for discovery of your assets the integrated risk management solution can leverage those assets for understanding where your risk and your compliance activities should be aligned against whether it's you know a server an application or whether it's higher up kind of in the business hierarchy and we're thinking about facilities and we think we're thinking about departments um we also can start to leverage it asset management for similar means but we also can bring in things like if you're using security operations for managing your vulnerabilities and your security incidents we can feed that data into risk management to raise risk levels if you know we're seeing vulnerabilities not being pack in a timely manner or we're seeing an incident in security incident response that needs to be you know working working with the compliance team and the legal team so we can bring different teams together when we think about a major security incident occurring and then also we can integrate with strategic portfolio management when we start to identify different projects in the organization and we want the risks in those projects to roll up into a broader risk register to have more Enterprise level tracking across the organization and then just my last slide coming up I really want to just kind of highlight what we do in risk management and you're going to see how that rolls into the threat connect risk quantification app that Carrie's going to be walking through but in our risk management solution we really can focus on you know what are the different libraries of risks and controls we're looking to align against and then having them associated with the proper entities or assets within our organization we can go through a risk identification process and actually automate surveys going out to specific stakeholders to say based on the work you're doing these are the risks and these are the controls that we expect you should be aligning to and then from there we can move to a risk assessment process where we could start to say okay now that we've identified these risks what do we feel like the inherent risk the residual risk those areas are and then also decide how are we going to respond to those risks so are we going to mitigate them are we going to accept the risk around them and we can have the appropriate workflows in those areas depending on the action that we choose to go forward with and then when we track and monitor that risk over time we could start to input if we truly have an event where that risk was you know exploited what kind of loss did we see who was involved can we do the root cause around it and then if we want to track kis within our environment we can leverage the data from the other parts of the service now platform or through integration with other solutions to say that you know this risk is actually at a higher level than we thought because our kis are failing based on the data that we're bringing in from security operations or a data Lake um so we want to alert the proper people and then we can have um issues managed within the platform where we can start to say okay we have some sort of finding or deficiency who owns that issue how do we remediate that um what's the workflow to getting that issue closed out and all of this can be reported on through through a series of dashboards and reports and email notifications so we can alert the right people as we're going through this risk management process so with that I'll turn it over to you Carrie excellent thank you g so you know I love that layout of the the risk workflow right it's often said that you can't manage what you're not measuring um and if you are measuring risk if you apply a better method of measurement inherently you're going to get a better management of risk within the organization and this is where the RQ app comes in right it enhances your experience within your Sur now irm because it allows you to directly measure and communicate that cyber risk and there um you know by doing so in financial terms it allows you to manage cyber risk your organization a little bit better we're going to talk about some of the benefits that come with using cyber risk quantification to communicate cyber risk throughout the organization but especially up to leadership right and so now you know with this app um it is built into service now it's built on service now it's not another platform that you need to acquire and bring in um and when you do this what it does is it allows you to really effectively prioritize your risks right because if you have all these risks how do you prioritize those which ones are substantial to the organization um when you look at any risk M mitigating security Investments or initiatives whether that's you know typically It's a combination of an investment with resources right so how do you prioritize those um and then when you when you're doing that why are you doing it right um at the end you want better risk management to be able to whether it's comply with regulations or mandates or maybe some internal policies um you know we've seen uh I'm sure a lot of people are aware of the latest SEC uh guidelines they're ruling around materiality so this goes back to you know managing what you're measuring um so if you apply measuring using financial terms now you have a mechanism to comply with that and even if you're not subject to the secc um guidance it's a good thing to know what is material for your organization right when we talk about materiality it's what would have a big impact to the business and that's really hard to identify if you're not speaking in business terms right so a little bit about the solution um you know as I said it's built on service now within service now so it is in the service now store um for you to go ahead and get that and implemented into your uh service now irm and the whole goal is to kind of move Beyond not necessarily past heat maps and and qualitative metrics but to start move moving forward and enhancing the capabilities of those right and the way that we do that is by being able to provide those financial metrics around cyber risk right being able to translate those High mediums and lows into business terms that resonate with the business and help them make decisions okay now when you do this I have some use cases listed here the very first one is a pretty uh I would say simple use case of just implementing cyberis quantification which is being able to um get those quantitative results with those cyber risk assessments right um right there that first step it's helping you move the needle within the organization and as you do that now you can measure the financial impact of your security controls and what state they're in right so within service now you have controls that are either compliant or non compliant so how much risk how much Financial Risk do those non-compliant controls expose the organization to okay so when you do that now you're able to First quickly understand that loss but also what are those mitigation actions that you're going to take against those control improvements what does that look like um and now we can start talking about you know an Roi where you know you have finite resources money and time so where do you focus how do you prioritize those um you know you want to focus those efforts on the improvements are going to have the most R risk reduction within the organization and that's what this app does is it it enables you to be able to make those decisions okay we also talked about defining materiality around the SEC guidance and how important that is whether or not your subject to that SEC ruling um it's really just a good practice to get into and to understand you know risk from a business context within your organization um and then when you do that you're able to just communicate and Report risk on another level um with leadership in a way that resonates with them that they can start to understand how these cyber risk actually impact their business and the organization and and most importantly the bottom line okay so with that what I want to do is start talking about um how this works what does it look like what's the lift to do this one of the common misconceptions is that to do risk quantification you have to be a very mature organization with a lot of resources to put towards this um and it's just a big lift and thankfully that's just not true right um especially the way that this app has been designed so I have some screenshots here and we're going to dive into the demo here in a second but just to show you um within service now under the details tab you have all of your um your sections that you're used to seeing but with this app it adds an RQ configuration section and that's where you identify what is at risk we don't ask you to identify how much risk you have or what your losses would be that's why you want to Leverage The RQ engine right so we only ask for minimal inputs uh what is that risk from the terms of data what type of data what's the volume of data and then how much revenue is at risk for the organization and then when you do that you hit the Run RQ analysis button and you get quantitative results back instantly with the recommendations on which controls would bring you the most risk reduction throughout the organization but specifically for that risk a little bit about how this works uh I'll give everyone a second to to take a look at that and absorb it but um essentially you know as I said this is a a seamless application that Works within service now so from a user perspective you know hands on the keyboard whether it's a control assessor your irm expert your analyst um Whoever has their hands in the service now environment you're using the platform that you're used to and you know as G mentioned earlier there's a lot of information a lot of data sources that already exist within your service now irm instance so let's leverage those um and let's use those to quantify risk so you put you uh input those values and then when you hit that run RQ button what that does is that sends it to the threat connect RQ engine it's an AI ml model that leverages uh the miter attack framework to understand how these attacks are happening what are those technical steps that they're taking the ttps and then which controls come into play for those attack types um and then the the status of those the state of those whether they're compliant or non-compliant are going to tie directly to that um exposure as a result right so one of the things that we do threat connect pulls in a lot of Industry data from both the the loss side so you know looking at historical losses within your industry um you know how much loss has been seen or has been incurred from a data breach or from ransomware or other types of of losses or attacks um and then we look at well what's the frequency of those right how often do we see these Bad actors launching ransomware attacks on organizations like yours um so we pull all that data into our AI ml model um to model the risk and then provide those quantitative outputs that are then put right into the service now instance for that analyst the irm expert the control assessor to then be able to report up to leadership okay so with that um if anybody has any questions now is a good time go ahead and submit those in the in the Q&A function actually we do I do see a question here um excent who would input the revenue is the question great great question so the the user the the service now user would input that um you'd want to understand if this is a you know Revenue generating system the The Entity the application the asset um if that is a a revenue generating um system how much revenue is flowing through that um if it is direct or it supports a revenue generating system how much revenue would be associated with that particular system um and then just expanding a little bit beyond that not just Revenue but what type of data is in that system or the application you know within the entity um what type of data because as everybody knows there are certain finds that are associated with those different types of protected data okay so great question thank you yeah awesome as we're going through the demo this Sparks a lot of questions a lot of the time so please don't be shy um put your questions in the Q panel and we'll we'll answer them as we go along excellent so we can see here so we're in our service now instance and there's two different areas that you can work within here um you have the traditional views that you can go to and you can also go to the workspace the risk workspace and that's where we are now uh so from here what I'm going to do is I'm going to go to the list and I'm going to look at my different risks here let me filter to find the one specifically where we modeled um pii okay so we're going to take a look at a risk here and I'm going to show you uh live where you put those inputs um and then what are the different outputs that come from that okay so right here we can see all this looks normal um that you're used to right all the different fields that you can fill out that you can inherit and bring into this risk but as we scroll down here we see an additional area called RQ configuration and this is where you identify what's at risk as you saw in that screenshot um so you can identify the the type of data the revenue and then when you hit this Runner Q analysis button it's going to provide some highlevel risk results down at the bottom okay now there's two two um acronyms that I want to bring to your attention there's SLE and Al okay SLE is going to be your sing single loss expectancy so essentially when a data breach occurs what are those losses what what are those losses going to materialize as what's that going to look like um so and then from an Al perspective that takes into a count the frequency then it's annualized so think of it this way if you were to have a data breach let's say in you know estimated 135 years if you were to save up um every year to cover that data breach how much would you need to save up that's a way to think about Al okay now one of the things that you can see is we break down the risk by different attack types so we look at a data breach if a data breach were to occur on this system or this application or we see here the entity um whether it's a data breach a dods attack or a ransomware attack um we break those attack types down by loss types and this is where those fines come in the legal cost any settlement cost costs uh Ransom payments this is where those come into play so you can actually see how these losses materialize for your organization okay from an SLE a single loss expectancy and then from an Al perspective um you know taking in account that frequency okay now this is one of those things where you know we talked about the use cases of just identifying or quantifying the risk associated with these risks what that does is that helps you prioritize you know if you have 10 critical risks or red risks which risk is more risky than the other risks right um and when you start to quantify those in financial terms now you have a way to prioritize and say okay these are our top 10 five three risk to the organization and this is how much Financial exposure they bring to the organ ization okay and then so this is great but what do you do about it where do you begin when you associate controls um with your entity um with that application the asset what it's going to do is it's going to look at all these different controls and it's going to pull in controls specific to a security framework that you're using now this does support all of the the um industry standard Frameworks like nist Ci s ISO um and you know some bespoke ones but we're able to ingest these controls look at which controls are non-compliant versus versus compliant and then quantify how much risk is associated with that non-compliant control but most importantly how much risk would be reduced if you were to become compliant for that control okay and we can see here this is sorted by the re uh the AL reduction and what this does is this gives you a prioritized list of if you wanted to look at controls to remediate to reduce risk as effectively as possible which one should you start with um so we can see that by um moving pr. ac5 which is really around Network Integrity if you were to move that from a non-compliant state to a compliance State how much risk would that reduce across the organization for this specific risk I see we have some questions coming in here we do um put them around the setup um so you know basically the questions um and I think they kind of answered it here a little bit but the the setup questions is are they for a particular entity or is it for the the entire organization and it looks like this is based upon an entity correct correct so this is based on an entity one of the things that you're going to do at the entity level is you're going to identify what industry is this in um and then how many employees what that does is that gives us some some data points to go off of because when we pull in values we want the values to be specific to your industry right so we will bring in that cohort of data um so if you're in let's see the financial Services industry we want to have those values associated with that industry and not let's say retail right because those are going to look a little bit different and that is all set up at the entity level very simply um much like the details tab here um you get a RQ configuration you can dive into that and set those two values and then at the risk level itself that's where you identify what is at risk for that particular risk okay um I see another another question here around does it require a cmdb setup and service now for accuracy of risk assessments uh great question this is a question we get quite often and the answer is no it does not require a cmdb um and there's multiple reasons for that um it does not mean that you cannot use one but it's not required I would caution if you are going to use a cmdb um you know there's a term that I'm sure everyone's familiar with garbage in garbage out um if your cmdb is full of a lot of noise we'll call it um then you're going to get a lot of noise as an output so you want to make sure that your cmdb is clean um and then you can pull that data that information into this workflow great question thank you so from here so we we took a look at the app and I'm we're not going to get into the the details of configuration um within the uh service now store where you can download the app there is an installation configuration guide there's also contact information um where you can reach out and you know we'd be more than happy to help you through this process okay so with that let me go back to the deck that concludes our our demo of the application itself so let me go in into there we go um the slide deck here and let's talk about so we talked about you identifying risk that workflow how that looks within service now some of the problems the solution to the problems what are those inputs what are the outputs how can you use them and now we want to talk about being able to communicate and Report cyber risk using quantification okay so first off some of the benefits that um just come with using risk quantification is first and foremost you're able to more effectively communicate those technical cyber risks with your leadership team and do it in terms that they're familiar with right in those business terms the bottom line that that Financial exposure that these cyber threats bring to the organization now when you do that they're going to be able to make better decisions on what to do about it how to assign resources you know we often see when it comes to security Investments um you know leadership sea level board members they really want to know if if we're going to you know provide this level of funding how much risk is going to be reduced what's the ROI that we're going to get if we provide you with this investment and that's been a very very hard question to answer um using qualitative terms high medium and low you know if you give us a million dollar we can take a high risk and we can reduce it um say well by how much well it's still going to be high risk um but we're going to reduce it right that's a really hard conversation to have um when you add in that Financial exposure and then um that you know Financial Risk reduction associated with the mitigating controls now you're able to communicate the ROI of those um Investments right to drive risk down and when you do this um one of the best things about this is you know I talked about very little about moving um a little bit past going a little Beyond uh heat maps and those qualitative terms and now what this does is this moves you into a more objective method to be able to not just identify your risk but prioritize which risks you should be mitigating um before others and then the resources to do so whether that's Financial or um you know person hours to mitigate those risks um and then when you do this and you implement risk quantification with the app into your service now irm workflow that GA laid out earlier what this does is not only does it provide an objective method that's defensible but it provides a consistent and repeatable process for you to be able to measure and manage risks within your service now irm and with that I'm going to pass it over to GA and she's going to talk a little bit about what you can do with these values and and what that looks like thanks Carrie so from a reporting perspective you know service now has a number of outof the-box reports and dashboards that we can have for different personas within the organization we actually recently released a cyber security executive dashboard that can collaborate all of your you know SEC Ops data and your risk data in one View and the idea is that if we start to look at the quantification of risks when we have a heat map type view like we do in the risk workspace that you see in the right image we could start to have a heat map that's looking at you know single loss expectancy versus rate of occurrence so again more quantifiable numbers that Executives can use when they're trying to make decisions on where they should be funding who should be getting certain resources and we can control you know who has access to these dashboards the data in these dashboards is all live so we're making sure that everything's getting updated as service now gets populated with information um so we have an easy view for really making decisions and even sharing with the board of directors this is what's going on in my organization these are the key risks that we need to be focusing on and you have true defensible data around those reports excellent thank you guia and I saw a question that popped up in the chat um you know is this an uplift charge for RQ is already licensed if you bought irm um so this is available right now in the service now store um that you can very quickly and easily uh purchase and deploy uh within the service now store in your uh instance um as you can see there is a cost associated with it um and then if you want to give this a try we do offer a free trial um and that you can see there is a button there within this in the store to request a trial to to try it so with that I'd like to to open this up to everyone if you guys have any questions that have not already been addressed please feel free to drop those in the Q&A section at this point we'd be happy to go over those with you yeah this is now the time to ask those final questions that you're thinking about you've been thinking about we are you know our speakers are still here to to answer those and they will be as I wrap this up a little bit um remind you that you can find out more information about our irm product on the servicenow.com website and you can find out information about the RQ product on the threat connect website you can join us on our community there's a great Forum there that's very very active and you know this is recorded it will be on the YouTube playlist in about 48 Hours sometimes faster and finally we've got we do have some great webinars coming up next month all of our what's new webinars so if you want to know what's being released on the service now store in August for policy and compliance for risk for BCM for third party risk everything is being released in the August and we have it all in August in our W's new webinars the QR codes are here but the links are also in the chat let me check the we got a we've got a question here that's just come in um how long is how long does the free trial last Carri great question so the free trial is a a standard 30-day trial um where you can test explore it explore the capabilities and and see how that works within your environment awesome one last plug for the community on the community is a Blog that lists of webinars other events that are occurring throughout the year highly encourage you all to to check it out it does change regularly as we add new things um so it's a great place to find out what's happening in the next month or two or even three out from now and with that I don't see any more questions I want to thank all of you for joining us we really appreciate your time I really hope you learned something I learned something and I want to thank our speakers gaita and Carrie um really appreciate your time and all of your expert advice thanks Teresa thanks for having us everyone yeah thank you Teresa thank you everyone for taking the time to watch this webinar wonderful see you all next time bye-bye