ServiceNow’s Vulnerability Response module is one of the most important—and at the same time, one of the most underused. Thus, we at Adeno have made it somewhat of a mission to highlight this module in ServiceNow because of how we have seen it positively transform the IT departments that make correct use of it.
In this edition of Expert Insights, we spoke with ServiceNow Developer Jonathon Willcock from Adecco. This discussion follows Adecco’s Vulnerability Response back-to-baseline project, where they chose to return to out-of-the-box functionality due to issues related to upgradability and efficiency caused by customizations made to their implementation. During the project, our Adeno Partner and Vulnerability Response Expert, Martin Jensen, provided advisory support to Jonathon.
Can you describe the key challenges that prompted the need for the ServiceNow Vulnerability Response implementation at Adecco in the first place?
To be honest, it was quite easy to build a business case for the funding needed to move our Vulnerability Response activity into ServiceNow. At Adecco, security is a huge focus area for us, and being able to manage our patching activity via workflow was a big step forward. In the past, this was quite a manual activity where we managed the process via spreadsheets and email. Moving to ServiceNow, where we could drive workflow and integrate with our CMDB, was where we wanted to get to.
What challenges made you decide to initiate the Vulnerability Response back-to-baseline project?
Our initial implementation did not adhere fully to an out-of-the-box design, and we introduced some technical debt onto the platform. We are now seeing the results of that initial design by facing challenges with the upgradability of this module and regularly having to manage incidents related to the customizations.
In addition, we are not easily able to adopt new features released by ServiceNow. Our stakeholders regularly ask for functionality that should be available out of the box but cannot be used.
Finally, custom business rules replicating data instead of leveraging relationships were causing slow-running scripts and impacting system performance.
How were these challenges affecting the organization's security operations?
The design challenges made the Vulnerability Response process labour-intensive for our Service Owners by adding additional steps. Customizations meant that we were not properly leveraging CMDB information and sometimes led to attention on vulnerabilities that were not relevant. This overload of unnecessary additional work in order to meet our remediation KPIs caused frustration within our Service Owner community.
How do you ensure that your organization adopts the tool once the back-to-baseline project is completed?
There are both outward (Process Users) and inward (ServiceNow Platform team) benefits to moving towards an out-of-the-box approach, and both need to be promoted. From an outward perspective, our process users will feel the time-saving benefits of what we have done, and they will be able to benefit from new functionality that comes with our bi-annual release cycle.
From an inward perspective, our platform team will be able to upgrade this module more easily, improve the stability of the overall platform, and should have fewer incidents to manage.
What specific goals and outcomes is Adecco aiming to achieve with the Vulnerability Response back-to-baseline project, and what is considered a success?
We are expecting to see a reduction in the number of incidents related to the VR module. Additionally, we are working to enable our Service Owners to manage vulnerabilities in a more efficient way and help us hit our KPIs consistently.
The KPIs we are measuring success against are:
- % reduction in Vulnerability Response-related incidents
- Reduction in end-to-end process time
- % increase in our patching metrics
What stands out as the most crucial advice you received from Martin regarding your back-to-baseline project?
- The use of Remediation Tasks to group vulnerabilities at different levels. VITs can belong to numerous Remediation Task groups for multiple purposes.
- Identifying and understanding the different personas who will be working within the VR module.
- Leveraging all information from third-party databases to create mature vulnerability calculators and provide security teams with as much context as possible when analyzing vulnerabilities.
What should organizations that are considering implementing Vulnerability Response in ServiceNow, keep in mind? Do you have any advice you would like to pass on?
- Explore the offerings that ServiceNow provides at baseline and promote those rather than implementing custom logic—this module is frequently updated by ServiceNow, so keep technical debt to a minimum.
- Work with analysts to understand how they work and how they group vulnerabilities.
- Consider carefully whether you want to use the GRC or native VR process for managing exceptions.
- Do whatever you can to promote Remediation Tasks and avoid having people work at the VIT level.
Thank you very much for your time, Jonathon! Also, a special thank you to the project team at Adecco for giving us a peek into the ongoing considerations they faced during the project:
Global Patching Process Owner – Elena Barbu
ServiceNow Solution Architect – Jan Svajgr
ServiceNow Developer – Jonathon Willcock