ServiceNow CISO reveals tracking of all staff security skills

ServiceNow has launched a program to rate the security skills of its 7000 staff, so that it can identify those whose appreciation of risk means they need extra training to keep the company safe.

CISO Yuval Cohen told iTnews that in his role as CISO, he consults with ServiceNow customers to ensure they can use its platform securely.

Those talks often reveal that customers trip over on security basics such as failure to use two-factor authentication or require strong passwords.

Cohen said, in his experience, security incidents are more likely to flow from this kind of poor security practice than from more complex exploits.

So ServiceNow is now determined to model better behaviour itself and it needs to: as a substantial SaaS player it needs its staff to be well-versed in how they could become an attack vector for a third party seeking customer data.

Hence the program rating security skills among the company’s staff.

Assessment of staff skills includes phishing tests that Cohen’s team monitor so they can inform staff who fall for fake emails.

Cohen declined to describe all the test and rating tactics he uses, but says the result is a score for all staffers.

And you’re never too cool to go back to school.

Those who score poorly are educated in sessions conducted by the 150-strong security team Cohen heads.

The ServiceNow CISO said his team conduct such training in person because it is more impactful: he suggested staff respond well to the formal-if-slightly-imposing experience of having members of the global security team explain how to improve their security stance.

Call it the human touch.

In an uncanny coincidence, some of ServiceNow’s government customers are also fully embracing the need to be sufficiently security aware - especially the ones who accidentally lose safes full of highly classified Cabinet documents.

In July iTnews revealed ServiceNow had scored a $1.67 million deal with the Department of Prime Minister and Cabinet to track secure document containers after the ABC was handed reams of classified material by the unwitting buyer of the second hand safe sold without a key.

“A new online application (Service Now) process has been implemented to manage requests for new secure containers, their relocation and disposal,” the investigation autopsy penned by former defence supremo Ric Smith said.

It added the software will “significantly improve reliability, auditability and tracking of information” and called for regular meetings by senior management to review security breaches.  

Cohen’s visit to Australia and chat with iTnews co-incidentally took place on the same day as the release of ServiceNow’s new “London” release.

This time around the company has added a virtual agent chat bot IT departments can use to offer self-service for some user requests.

Tellingly, London also adds a “Walk-Up experience” that makes it easier to join a physical queue for face-to-face support engagements, and did so because users feel more satisfied after a personal tech support experience.

There’s also a new set of processes for security incident response management, a “major issue management” tool that lets customer service staff open one case and apply it to many customers, new document management tools for HR pros and more.

Unlike other SaaS players, ServiceNow does not deliver new releases to all its customers at once. Instead, the company also gives each customer a dedicated instance of its platform and the option to upgrade at a time of their choosing.