Security has never suffered from a lack of tools. If anything, the opposite is true. Most organizations CoreX works with have invested heavily in scanning platforms, SIEMs, endpoint protection, and monitoring software. What they often lack is clarity about how it all comes together.
This is where Andrew Wortham lives.
As SecOps Lead at CoreX, Andrew spends his days helping organizations make sense of their security operations inside ServiceNow. When asked about the biggest misconception he hears from clients about “SecOps,” he doesn’t hesitate.
“Security software is such a broad category. The biggest misconception we see is a lack of understanding of where ServiceNow fits in, and questions about where and how to start to automate security actions most effectively.”
In other words, most teams know they need orchestration and automation. They just aren’t sure where to begin, or how to connect what they already have into something cohesive.
From Incident Tickets to True Security Operations
One of the most common early conversations Andrew has is about the difference between traditional incident response and ServiceNow’s purpose-built Security Incident Response (SIR).
Many organizations initially treat security incidents like any other ticket. Andrew is quick to explain why that approach creates risk.
“The biggest reasons to use SIR and not just INC are data separation and process separation.”
Security data, by its nature, requires tighter control.
“It is crucial to keep sensitive security information as restricted as possible. Using SIR, we are able to ensure only security analysts can see security incidents.”
Beyond access control, there’s the matter of discipline. SIR aligns with established security standards and frameworks.
“SIR follows NIST standards, allowing you to instantly track key metrics associated with security incidents. Time to Contain, Eradicate, Resolve. And once complete SIR allows for a more robust post-incident review.”
This combination of governance and structure changes how organizations experience security. It becomes both measurable and improvable.
What Maturity Actually Looks Like
Security maturity is often described in abstract terms. Andrew prefers to point to the dashboard.
“Using the SIR Executive dashboard, we are able to use metrics such as time to contain and time to resolve, sorted by category or SIEM event, to determine where we can achieve the most impactful efficiency gain.”
For Andrew, the real signal of progress is trend data. When teams can see how containment time improves over months. When resolution times stabilize. When incident categories shift because upstream issues are being addressed.
“We can then use those same metrics to track trends over time and see the value add.”
In other words, maturity is not arbitrary as much as it’s a repeatable pattern.
Where Value Unlocks
When asked where SecOps programs unlock the most value, Andrew refuses to default to a single answer.
“It very much depends. We can do an assessment, look at metrics, and help determine best value add.”
Sometimes it’s vulnerability management that needs tightening. Sometimes, threat intelligence integration is the bottleneck. In other cases, automated response through SOAR creates the most visible lift.
This flexibility is intentional. CoreX doesn’t approach SecOps with a one-size-fits-all playbook. The right next step depends on the organization’s data, processes, and objectives.
The CMDB Question That Always Comes Up
Like many ServiceNow engagements, SecOps often leads back to a familiar foundation: the CMDB. As with many projects, CMDB is a core driver of many efficiency gains. And incomplete or untrusted configuration data slows everything down. It complicates vulnerability prioritization. It creates confusion in incident triage. It limits automation.
Andrew also points out that there is immediate value simply in moving to SIR because of its connection to the broader ServiceNow platform.
“There is a lot of value add in simply going to SIR due to it being connected to the rest of ServiceNow, and then a tremendous amount more once we get into SOAR.”
That connectivity is where orchestration becomes real. Alerts are tied to assets, which are tied to owners. Response steps trigger downstream workflows, and security stops operating as a silo.
Looking Ahead
For Andrew, the future of SecOps inside ServiceNow is defined by automation and consolidation. As organizations mature, the question shifts from visibility to speed.
- How quickly can you contain?
- How much of the response can you automate?
- How consistent is your playbook execution?
On the vulnerability side, the landscape continues to evolve rapidly.
“For VR, the landscape is constantly changing. ServiceNow is adapting and making it easier to track and maintain all vulnerabilities in one place.”
This unification matters. Security leaders are tired of stitching together exports and spreadsheets. They want a system of action that reflects the reality of their environment and helps them make informed risk decisions.
Andrew’s work sits at the center of that transformation. Not in the hype. Not in the noise. But in the discipline of turning security signals into measurable, governed, and automated outcomes.
At CoreX, SecOps is about building a security program that improves every quarter. And as Andrew sees it, 2026 is shaping up to be a year in which automation and integration truly begin delivering on their promise.
