ServiceNow Governance, Risk, and Compliance vs. Tenable Security Center vs. Tenable Vulnerability Management

Oracle EBS R12 requires a unique user skillset to understand how it handles user access and functions. Accordingly, ServiceNow has this high level of sophistication to manage this information and apply it to Sensitive Access and Segregation of Duties rules to identify exceptions. This depth of configuration is critical to accurately identify when Oracle Responsibilities (access) truly allows access and thus could be a violation. ERPs with less complexity may not require this customization of ServiceNow GRC, but you would be wise to raise these questions and examples in the demo to ensure it will work for you. In the past, we have found that risks of under-reporting exceptions or false positives become so voluminous that users don't always get to the accurate violations for timely remediation. Proper configuration up front will improve your effectiveness and ROI down the road.

Incentivized

[Tenable.sc (formerly SecurityCenter)] does very well for internal scanning for vulnerabilities, however it needs to be combined with Tenable.io in order to do cloud scanning.

Incentivized

I've been using this product since it began as an open source product, I really like it and for the money, I think it's probably the best choice for most companies who need a product like this. Over the years I've seen the interface change quite a bit and sometimes I think it's a bit unclear how to do certain things and the different packages can be confusing, these are the only reasons I'm giving it a 9 instead of a 10.

Incentivized

• Finding reported by the auditor. GRC helps us identify, assign, and track the resolution of this.
• Exception to information security policy. These require quarterly reviews and setting up reminders to revisit these.
• Building out new projects and baking security and compliance into the project and tracking it in GRC to ensure we deliver a compliant product on day one

Incentivized

• Vulnerability management from one place
• Maximum endpoint visibility
• Easy to set up and plan the structure
• Support desk quickly responses
• Well-prepared documentation
• Broad scanning type
• Supports various compliance standards
• User groups allows coordination between teams

• Setup of the internal scanner was fairly simple and straight forward.
• An update came out for the internal scanner that allows you to add an Internal Certificate Authority for lookup.
• Has automated reporting to keep executives and compliance departments informed.
• Internal scanner can be configured to auto-update itself.
• "Recast Rules" allows your organization to redefine a vulnerabilities' classification, if it is not applicable or your disagree.
• External PCI scans allow you to remediate before submitting to Tenable.io for review.
• Tenable.io staff was very patient and helpful. They provided some limited guidance with remediation.
• Internal and External scans can be automated. schedule for the automated scans is very granular.

Incentivized

• Delivering more out of the box functionality that rivals other GRC platforms. The bare bones approach may not help companies that do not have expertise or capabilities to build effective GRC processes.
• Easier way to implement workflow.
• Offering better metrics without buying add-on tools.

Incentivized

• Centralized vulnerability management with sensors.
• Network health assessment and Incident response.
• For alerting or notification, it should also support the SMS gateway.

Incentivized

• Expensive - You do pay a slight premium for the best product in the space.
• Asset management is difficult to work with if you have a lot of asset turnover, the license can be ''held'' for 3-6 months after the asset is gone from your environment.

Incentivized

We like to renew tenable each year we have had it so far.

Incentivized

I'm satisfied with our experience. The configuration was the biggest challenge, but we have moved onto the stage of user training and usability. We would appreciate having better user training documentation and possibly videos and/or computer-based training to help our international users adopt this software for their GRC needs.

Incentivized

based on product capabilities and usage

Overall it is good, it took a little while to understand it and figure things out but once you have a good grasp on it then, it is very good.

Incentivized

It's a good system, but I am awaiting key features in the new release. We hear that ServiceNow is continually adding new features and we look for improved reporting, better Oracle Integration, and user training opportunities. To the extent these materialize, we expect further improvements in our experience with ServiceNow GRC. Until that time, though, we believe we are meeting our objectives expected at the beginning of this project.

Incentivized

On all of the occasions that I have had to reach out to Tenable for assistance, they have been extremely helpful and knowledgeable. Solutions and support are provided quickly, and they work on the issue until it is resolved.

Incentivized

Support is usually really great at walking you through any steps you need to take when you get stuck on something. There are a few false positives and errors that have come up over the years that required their help to get through. Unfortunately, the steps required to diagnose some problems are more tedious than I think should be necessary. (IE: SQL instances can throw errors that clog up your logs because one plugin affects it in a certain way. The process to diagnose this is to watch timestamps of plugins in a log while monitoring the SQL logs at the same time and using your best guess as to what is causing it.)

Incentivized

We just recently started using TrustArc for data privacy requests and I can already speak to the fact that TrustArc is a more confusing platform once there. The positives of ServiceNow would be that a majority of our URL's drive to owned websites which our employees are very comfortable with using versus pushing them to another website that feels unsafe.

Incentivized

We decided to go with Tenable due to its robust reporting capabilities and competitive pricing vs its competitors. While all tools are very similar in regards to scanning capabilities we prefer Tenable SC's user interface. We also like the option to have both on-prem and cloud with theirs. Tenable io product as well.

Incentivized

Tenable.io has a comparable set of features, with excellent support and a competitive price. After less than desirable experiences with another company, we moved to Tenable and haven't looked back since.

Incentivized

• Effective Enterprise Risk Management
• Holistic Real-time Monitoring of your technology and Risk
• Negative - Asset Management has some issues and Ghost / Shadow IT is big issue

• Create internal/operational efficiencies
• Improve compliance & risk management
• Cost management
• Solid vulnerability scanner
• Ease, of use, and capabilities when it comes to analyzing vulnerabilities is what makes this product stand out

Incentivized

• Since this is a requirement for our PCI compliance and the cost is relatively low, the ROI isn't really something we need to think too much about, Tenable's pricing is fair and affordable.

Incentivized