ServiceNow’s Amit Zavery On Delivering An ‘End-To-End’ Security Platform For OT And IT

Zavery, president, COO and chief product officer at ServiceNow, tells CRN that the $7.75 billion acquisition of Armis is allowing ServiceNow to ‘accelerate the roadmap’ on OT (operational technology) security for partners and customers.

ServiceNow’s recently completed acquisition of cyber exposure management vendor Armis is enabling the company to “accelerate the roadmap” on cybersecurity in a major way for partners and customers, with a key focus on expanding into security for OT (operational technology) environments, according to ServiceNow’s Amit Zavery.

In an interview with CRN, Zavery discussed the massive opportunities for solution and service provider partners from ServiceNow’s $7.75 billion acquisition of Armis, which was completed April 20.

“As we thought about vulnerability management, exposure management and how you bring that together into one end-to-end platform, Armis was the [vendor] we identified as allowing us to accelerate the roadmap of [offerings for] customers. Because the customers were reaching out to us to solve that problem for them,” said Zavery, who is president, COO and chief product officer at ServiceNow.

As a result, “we're unifying all these capabilities around asset, data, access, permission, device management, vulnerability and exposure [management] into a unified security platform,” he said.

Given the many strengths of Armis—including its powerful asset intelligence engine and a SaaS-based alternative to hardware-dependent approaches—it was not surprising to see that ServiceNow was interested in the vendor, according to Blackwood’s Ryan Morris.

“If you think about the capability that Armis brings into [ServiceNow's] portfolio in a consolidating market, it makes all the sense in the world,” said Morris, president at Annapolis, Md.-based Blackwood, a longtime Armis partner and No. 93 on CRN’s Solution Provider 500 for 2025.

In particular, the Armis platform provides a high level of availability that can offer the type of cyber resilience that a significant number of customers are seeking today, he said.

“At the end of the day, it’s really resiliency that [customers] care about—both being secure and available,” Morris said.

And to enable that, “you have to understand what’s on the network,” he said.

For ServiceNow, the additions of Armis and Veza, the identity security startup ServiceNow acquired in March, bolster an already fast-growing cybersecurity business, which had surpassed more than $1 billion in annual contract value (ACV) even prior to the acquisitions, Zavery said.

Ultimately, “ServiceNow is all-in on security. We do believe it's an important problem to solve. And partnering with us—and really building integrated experiences for our customers—can help our businesses together and solve more critical customer solutions,” he said. “So we are a partner-led company, and we do believe that's the best way to really solve these complicated and very critical issues customers are facing today with AI.”

What follows is more of CRN’s interview with Zavery.

How much traction has your security business had prior to the recent acquisitions of Armis and Veza? And how do these acquisitions build out your security offering?

I'll start with the higher-level thinking. AI—and agentic AI, specifically—really accelerates the need for having a very solid foundation on security and managing the complexity associated with agents and systems, which are accessing a lot of information and not having the right paradigms and protections associated with that. So when we launched agentic workflows and capabilities, and talking to a lot of our customers, one of the biggest things they came to us with was, they run into a lot of worries about security, control, governance, compliance and visibility across the board. And the attack surface area keeps on growing because of how much an AI agent and other systems can do or access. So they asked us, “Can you please first solve that before we go down the path of adopting a lot of AI agents—not just from [ServiceNow], but various other providers as well?” This is where we introduced this idea of the AI Control Tower, where we give customers complete control over all the different things they might be doing with AI—ours and third-party, end to end. They can discover [agents], manage them, track usage, audit compliance risk associated with that, the cost associated with that, as well as removing access if necessary.

As we continued talking to our customers about that, we realized that a lot of the things they were doing required a lot more depth around agent management and governance. That's where our acquisition of Veza fit in. We have been doing a lot of work in security, previously [to the acquisitions]. Our business in security and risk is $1 billion-plus and growing very, very fast. We're doing a lot of work around the post-breach—if something happens, how do you resolve it? How do you triage it? How do you have a resolution plan? Beyond that, how do you now govern those identities and activities for non-human actors? And that's where Veza is very powerful. They have an access graph, which is able to take information from various different systems and provide the right governance and structure [to those systems] for non-human identities and the lifecycle around it. Because [with] these AI agents, their lifecycle is very short—but you do want to make sure during the time they have access to something, it is really allowed, and [that] you’re able to manage it and track it. So that's how we thought about Veza and bringing it together as part of our managing of human and non-human identities for access across data, applications, systems and AI artifacts.

How does the acquisition of Armis then fit into the picture and expand your security offerings further?

We’ve been doing a lot of work around OT. Today, just like we manage the IT estate, we are also managing the OT estate for many of our customers. And they are also looking at security risks for those things, just like we did for IT. They're worried about devices not having the right privileges or [about] the wrong people accessing it—be it physical devices in manufacturing plants or buildings or IoT devices, as well as medical devices. So as we thought about vulnerability management, exposure management and how you bring that together into one end-to-end platform, Armis was the [vendor] we identified as allowing us to accelerate the roadmap of [offerings for] customers. Because the customers were reaching out to us to solve that problem for them. So we're unifying all these capabilities around asset, data, access, permission, device management, vulnerability and exposure [management] into a unified security platform. And that's really our landscape, which we want to deliver, while we work with a lot of third-party companies out there that provide a lot of insights and telemetry. We take [that] in real time and then run a lot of diagnostics, as well as proactive prevention of threats into the system.

So even before the recent acquisitions, you already had a substantial security business from a revenue perspective?

Yes, we have already been pretty strong in security. CISOs are probably our second-largest buying center after CIOs. A lot of [CISOs] trust us to manage all of the things they need to do with any kind of security remediation, incidents, the lifecycle of resolution planning—and interacting with various stakeholders, be it CIO, IT teams, product and engineering teams in many cases, and [with] third-party systems as well. We are in the center of that workflow, typically, for incident and security and risk assessment as well. So that's the business we are already in. We have a lot of customers today who are using us that way. And what we did with Armis and Veza is just expanding that roadmap and capabilities to be even more complete in that area—because we see traction, but also a lot of customer demand in that area. So the billion-dollar business has been there a couple of quarters already, and that's been growing at a very, very fast pace. So we already have been at the seat of the table for some time, and we understand the issues. And the customers see the value we provide, and now they're asking us to do even more.

What are the opportunities here for solution and service provider partners—both those who previously worked with Armis and existing ServiceNow partners?

Our goal always has been [to] have an open platform, and we do believe in partnerships and also creating an ecosystem for our customers. We understand every customer will have different environments, and they don't have to have everything from ServiceNow. So our goal is always to co-innovate and partner with companies that solve end-to-end solutions. And we've been doing that with other providers like Palo Alto [Networks], CrowdStrike, Wiz and others—to make sure what customers need and what we can deliver in combination is really thought out. So with Armis, similarly, our partner ecosystem will continue expanding. They will get exposed to even more partners than they probably did individually. Our partners will get the value of Armis, especially if they want to expand into OT and other areas. We’re bringing in a lot more capabilities for them to really grow the business together with ServiceNow. So our goal is a very partner-led motion. And we do believe we cannot solve everything ourselves. And this space is moving fast enough that all of the security vendors, and all the other partners in this ecosystem, have to work collaboratively.

Overall, what would be your message to partners on these topics?

ServiceNow is all-in on security. We do believe it's an important problem to solve. And partnering with us—and really building integrated experiences for our customers—can help our businesses together and solve more critical customer solutions. So we are a partner-led company, and we do believe that's the best way to really solve these complicated and very critical issues customers are facing today with AI.