Embedding Security into Culture, Contracts and Customer experience

Ben de Bont joined ServiceNow in July 2019 and currently serves as CISO. He previously served as CISO for IBM Cloud, CSO for HP Cloud, CISO for Myspace, and led Microsoft’s online incident response team.

Interviewed by ADAPT’s Senior Research Strategist Aparna Sundararajan for ADAPT’s CIO Edge, Ben de Bont shared the ways he has been embedding security within ServiceNow into their culture, contracts, and customer experience.

Aparna Sundararajan:

What we want to focus on today is ADAPT has come up with 12 Core Competencies for the success of Australian executives.

One of the Core Competencies is embedding security within the organisation.”

At ADAPT, we define it as more like the technologies and tools that you use to secure and safeguard your organisation.

The guiding principles that will help them to decide on the technologies and the people angle as to how do you create awareness around people to make them the first line of defence.

I’d like to understand your views on it, especially around how you would define embedding security within an organisation in today’s world and more so for tomorrow.

We’d love to hear what would your definition be?

Ben de Bont:

Embedding security across processes, people and technology is a very interesting challenge. My immediate reaction would be that any approach that you take needs to enable and support the business.

For many years, security is seen as getting in the way of technology or getting in the way of progress. The opposite can really be a great contributor to a businesses success.”

That is to consider security to enable the business and the businesses objectives.

In the case of ServiceNow, we have so many different types of customer data that the value of that data is starting to increase, and so does the need to protect that data.

It’s in our best interests to have a really good strong cyber security programme in place. And that is a focus for our entire organisation as well as for our board.

Aparna Sundararajan:

That’s very interesting. Are you also seeing security as a part of your contracts? As a service company?

Ben de Bont:

Absolutely. Security is not only part of our contracts, but it’s becoming more prominent in our contracts. And managing requirements globally, such as the right to audit that we see in the EU or is increased scrutiny from financial regulators in the United States.

This does make its way into contracts itself around security requirements, but it goes beyond that.

Our customers want to talk about cyber risk and how we address it within our company. And having that transparent conversation with our customers provides them levels of assurance and trust that may not have existed in the past.”

Aparna Sundararajan:

How do you see it being relevant to them right now? Why is it more relevant to them than it was yesterday, just because of the scrutiny or is there any other factor as well?

Ben de Bont:

The bar’s been raised, there’s so much more data that exists in the last couple of years. There’s been more data generated than existed in the history of humankind electronic data.

It’s more important than ever to protect that people are concerned about the privacy of their data and that is passed upon there. Those institutions that haven’t.

Therefore that bar to protecting it has been raised and the expectations of our customers reflect that need and desire to protect data.

Aparna Sundararajan:

How do you really go about making your organisation more secure and your customers secure? How do you embed security within your organisation?

Ben de Bont:

The most critical aspect that you just touched on before is people.

It doesn’t matter how good a security team is within an organisation or a cyber strategy, it’s the people within that company or organisation that can really build and uplift the security culture.”

If the people are more security aware, that company will be more secure and hence that company’s customer’s data will be better protected.

Aparna Sundararajan:

Are you seeing a change in the programmes that you’re conducting across your organisations to achieve that success around making people aware?

Ben de Bont:

It is, and I think the best indicator of success has been having a vision and explaining why to people within the company.

Why is it so important to secure our customer data? Because it’s important to them.

Having a transparent conversation within the company on why that data it’s important to protect it resonates with our employees, but it also resonates with our customers.

To really establish a level of trust you need to be transparent with what you’re doing internally around security with your customers themselves.”

That then develops a partnership and a relationship while the rather than one that’s reactive when you have may or may have a security incident sometime.

Aparna Sundararajan:

Are you also including the CEO and the board aligning them into understanding what the security processes are? Because I have heard so many stories around phishing attacks, mostly targeted at the CEOs and the C level executives as well.

What happens when there is an awareness programme going on, which can be neglected by the C level saying that we already know about this so we can’t make time to really go through it.

It’s a very simplistic appearing problem, but it’s a real one.

Ben de Bont:

The scenario you described has been the status quo for a long time, but in the case of service down, our customers are demanding greater levels of transparency into our security programmes and that is communicated directly to the C suite and to the board.

Not only do they expect the security conversation, they demand it.

Aparna Sundararajan:

Circling back to enabling the business, traditionally security has always been seen as hindering business, but I would say security really is like a checkpoint to tell the business that you can do this right now, but it’s not really sustainable.

It can be seen as an inhibitor rather than directly enabling a business.

Ben de Bont:

This is especially the case in IT where you need to balance the trade off between usability, scalability, and availability with security. If you ignore one or the other, then it will come back to bite you.”

It’s very important to have a partnership and how you address all four of those elements together. And then security enables the business and IT can do the same.

Aparna Sundararajan:

You’re saying your stakeholders have a similar vision. They understand the importance of security right now.

Ben de Bont:

The more we see security on the front page, the more that awareness will continue to be pervasive.

But it is a very important business objective for us at ServiceNow, the whole company is aware of it. That doesn’t mean we can’t continue to uplift security as much as possible, but that’s our objectives.