How a Global Pharma Company Streamlined SecOps with ServiceNow

Security operations are critical across both IT and OT environments. ServiceNow supports this through capabilities in vulnerability response (VR) and security incident response (SIR), offering enhanced visibility, scalable workflows, and seamless integration with third-party security tools.

A global pharmaceutical company—already a long-time ServiceNow customer—brought in a new CISO who sought to integrate ServiceNow into its SecOps strategy. To achieve this, the company partnered with CoreX on a multi-phase initiative aimed at improving collaboration between the security and IT teams, while streamlining the processes for managing vulnerabilities and security incidents.

This case study covers two consecutive projects: vulnerability response (VR) and security incident response (SIR).

Saving Time with VRx

To kick off the project, CoreX introduced its VRx program, a prescriptive implementation package for ServiceNow designed to streamline vulnerability detection, classification, and remediation.

The organization’s key challenges included spreadsheet-based workflows, inconsistent team coordination, and slow resolution timelines. Their goals: improve vulnerability tracking through dashboards, enhance performance monitoring, and scale response efforts efficiently.

With VRx, CoreX delivered a structured deployment that integrated with the company’s existing security tools and workflows. Key benefits included:

• Faster time to value
• Reduced risk exposure
• Enhanced collaboration between security and IT
• Lower resource demands and costs

The first stage of the project involved the CoreX team working with the pharma company through the implementation and taking notes on anything the company wanted deployed beyond the core package. CoreX’s goal was to get the pharma company up and running as quickly as possible with VR in ServiceNow.

After the initial implementation, CoreX moved into a second phase to support additional reporting, process replication, and configuration beyond the core VRx package. The result was a significantly faster vulnerability remediation cycle and improved operational alignment.

Integrating ServiceNow SIR and Security Tools

The SIR implementation followed the VRx rollout, focused on prioritizing security incidents and reducing detection and resolution time. As with VRx, the SIR solution required integrating third-party security tools into ServiceNow.

One major challenge involved integrating the company’s security management tool, which initially flooded the system with duplicate or low-priority violations. CoreX collaborated directly with the tool vendor to engineer a solution: grouping multiple violations into a single incident, which was then ingested by ServiceNow as one comprehensive security ticket.

Another challenge was managing phishing incidents. The pharma company used a separate email security tool, and CoreX successfully integrated it into ServiceNow to automatically generate and track phishing-related tickets.

The SIR engagement is ongoing, with continued refinements to automation, response workflows, and integration. Key results include:

• Centralized and streamlined security operations are in place by transitioning five monitoring panes of glass to a single pane.
• Event and incident parameters are correctly configured in alignment with the pharma company’s language based on severity and category.
• Security event to security incident conversion is clear, and there is complete separation of the two workspaces.
• Response workflows are automatically configured and applied based on the event category.
• Tasks are automatically created for each stage of response.
• Runbook inventory is available directly from SIR ticket
• Response tasks for non-cyber teams are functioning, and updates are brought back to the SIR ticket.

The main outcome of these results was improved visibility and scalability for the pharma company’s SecOp teams.

For example, when managing security violations, the integration between the third-party tool and ServiceNow meant that closing a ticket in ServiceNow also closed that ticket in the tool, and comments made on incidents in ServiceNow flow back to the tool. Working a single incident ticket in ServiceNow meant closing anywhere from 100 to possibly 1,000 violations rolled up into one third-party tool security incident.

The improved visibility came from a single pane of glass dashboard for leadership that could provide insights for both the security team and company leadership. It included elements like how many security incidents were closed in the past month, how quickly the team responded to incidents, and how often tickets were reassigned between teams.

Bringing Efficiency with ServiceNow SecOps

For the pharma company, the VR and SIR collaboration with CoreX and integration of ServiceNow into its SecOps led to dramatically increased efficiency. The engagement between the company and CoreX continues today with plans to integrate additional third-party tools into ServiceNow and explore ways to further improve efficiency and ramp up automation.

After seeing what ServiceNow accomplished for SecOps via the VRx and SIR projects, the pharma company is looking toward OT vulnerability response and threat assessment on security incidents. It had already made a big investment in ServiceNow, and bringing the platform into SecOps gives it a more central role in managing overall operations.