Risk management is one of those things that sounds really boring but is incredibly important to the ongoing operations of any business. At one level, it’s a well understood discipline that even has its own official standard, the ISO 31000 Risk Management standard. But the nature of business has changed significantly since that was created. I spoke with Sean Convery, the VP and GM, Security and Risk Business Unit, about how risk management is evolving.
Convery told me, during an exclusive interview at Knowledge 19, the company’s annual user conference, that ServiceNow has invested significantly in more resources in the area of risk management in response to increasing customer needs.
“The feedback I’m getting from customers is ‘my security team is operating in a silo from my IT team’. And now, because we have security and risk offerings on the same platform, we can link those together,” he said.
For example, if a vulnerability is detected in a piece of software and that issue can impact business operations, that will be added to the corporate risk register. When a patch for the vulnerability is available, a date can be set for when that software update is to be applied. If the date passes without the fix being applied, the risk register can be updated and the system owner can be alerted.
This process is not particularly new. But most organisations manage all the steps manually and the risk register might only be reviewed monthly or even less often. By connecting the risk team who identify the vulnerability, the system owner that’s affected and the IT team who is responsible for applying the patch, you can now have a more dynamically managed risk management and mitigation process.
Each step in that process can be automated, from the identification of the vulnerability and its addition to the risk register, through to its rendition, alerting and associated actions.
Also, as the risks are tied to specific business processes and outcomes, the focus shifts from being a technical problem that is somewhat abstracted from business needs into one that can be quantified and provided in terms that are meaningful for business.
“Now you can make the assessment on the basis of a business service,” said Convery. “If I have a vulnerability on my internal vacation planning wiki that’s great. But if I expire the SLA [Service Level Agreement] on my point of sale system or ERP system, that’s a very different impact. We can have the risk calculators move differently on the basis of the value of the service the risk is present on”.
That model can be applied to any process. For example, during the staff on-boarding process, you can escalate a risk if a new team member doesn’t complete their compliance training or if all the pre-hire checks aren’t completed.
The ability to automate risk management and mitigation is becoming increasingly important. As business automate more and more processes through their digital transformation projects, the risks and impacts they face aren’t just different but are changing faster than traditional, manual processes and systems can accomodate.
“A lot of risk and compliance today is about how to do risk roll ups. If you wanted to find a hierarchy of risks on a geo basis or divisional basis, you could actually create a visual representation of that and attach a vulnerability or policy exception to that. In the past, we were more focussed on IT risk. Now we’re more focussed and capable on the business side”.
When it comes to security side of the coin, the ability to automate more is also critical. Most security operations centres and terms have playbooks that provide instructions on what to do when an incident occurs. As new threats and attacks occur, the ability to respond quickly is becoming more important. So, taking that playbook and covering it into an automated process is critical. Convery said many of those known processes can be covered into automated workflows, with very little coding, or in some cases no code, using ServiceNow’s platform.
For example, it’s now possible to import patch data and linking that with vulnerabilities and which systems will be fixed. So, as well as giving IT tools to use, it means system owners have a connection with what an update will do to address a business risk.
This change in how risks are seen and managed is moving lock-step with digital transformation. As more business processes are technology-dependent, we’re seeing the role of the traditional IT department becoming decentralised as business process owners become more savvy about technology and closer to the solution choice and design.
Convery said “This is the natural end-point to digital transformation, that IT starts to devolve into technology as a whole. If you have processes digitally executed, everything becomes a technology risk”.
The writer attended Knowledge 19 in Las Vegas as a guest of ServiceNow.