Qualys CEO Thakar: A unified view of business-related risk management & remediation

Key Takeaways

Qualys is evolving from a traditional cybersecurity company to a comprehensive risk management specialist, with the launch of the enhanced Qualys Enterprise TruRisk Platform, which focuses on managing and reducing cyber risk for organizations.

The TruRisk Platform aggregates cyber risk signals from various sources, providing measurable risk insights and actionable paths for remediation, thereby enabling organizations to effectively communicate their cyber risk posture to both internal and external stakeholders.

Qualys emphasizes the importance of a centralized cyber risk management approach, allowing organizations to measure, communicate, and eliminate cyber risk with precision, ultimately enhancing overall security posture and business resilience.

There are cybersecurity companies, but there are also enterprise software vendors who work in the vulnerability management zone that we would not classify as cyber firms in the traditional sense of technologies ‘simply’ circulating around malware, ransomware and system security provisioning.

Qualys is one of those broader platform technology propositions.

More accurately described as a risk management specialist, Qualys spans aspects of IT security control from asset inventory analysis to cloud configuration intelligence to system-wide risk remediation tooling. Now hosting an expanded version of its 2023 Qualys Security Conference (QSC) in Orlando, Florida, November 6-9, 2023, ERP Today was there to witness the core keynote presentations and the breakout deep dives.

Explore related questions

We say an expanded version, Qualys is known for hosting an almost monthly roster of events with a solid technical training and qualifications ‘day zero’ before the main event – and, for this Disney-located conference, we saw additional partners (software security specialists, channel players and wider platform ecosystem partners too) also taking up stand space and engaging with attendees.

CEO Sumedh Thakar

CEO and president of Qualys Sumedh Thakar is approachable, technical and engagingly warm, not qualities found in every tech leader C-suite big gun.

Thakar used his keynote to showcase what he called ‘an exciting new milestone’ for the company – the release of the enhanced Qualys Enterprise TruRisk Platform, marking a shift for the future of Qualys as a company that produces technology devoted to managing and reducing cyber risk for CISOs as well as security practitioners.

He explained that the Qualys Enterprise TruRisk Platform aggregates cyber risk signals from a wide array of disparate sources, correlating them into to measurable risk insights using the unified TruRisk risk scoring framework to provide users with a centralized means of measuring, communicating and eliminating their cyber risk with precise remediation and mitigation actions that provide the optimized path to cyber risk reduction.

“My announcement about the new vision for our company’s platform is the maturation of a concept that Qualys began working on years ago through a commitment to not only deliver powerful security solutions for attack surface management, vulnerability management, and remediation but also to provide a higher level of orchestration between these solutions that allow security leaders to better identify, prioritize and action cyber risk remediation to maximize positive impact business on the business,” noted Thakar, while on stage in Orlando.

Explaining the whole technology shift here further, Thakar said that with the ever-expanding attack surfaces and a growing threat landscape, cyber risk has become an elevated topic of importance and prominence for virtually every organization, especially for the C-suite.

NOTE: Today, nearly 50% of CISOs report directly to the CEO, with over 90% regularly briefing their Board of Directors about their organization’s exposure to cyber risk. As a result, CISOs are being nudged into roles that require them to move beyond merely enumerating cyber risk in the form of Key Risk Indicators (KRIs).

“The Qualys Enterprise TruRisk Platform not only provides a centralized way for organizations to measure and eliminate their cyber risk but also arms users with the actionable insights they need to communicate their actual cyber risk posture to internal security and business risk stakeholders. Additionally, it provides external executive stakeholders, from the board to cyber risk insurers, with the necessary data they need to make the right decisions,” said Thakar.

Measure, communicate & eliminate risk

The introduction of The Enterprise TruRisk Platform marks Qualys’ commitment to helping CISOs, cybersecurity practitioners and ‘risk stakeholders’ (a term that we can take to relate to businesspeople and other non-technical staff) quantify the impact their cyber risk has on their businesses, with actionable paths to eliminate that risk with concise remediation and mitigations.

“Through this advancement, customers will now be able to gain even more from the comprehensive Qualys Threat Library and over 25 threat intelligence feeds that they already receive, empowering them to reduce their cyber risk posture more effectively across their organizations with tangible business context,” added Thakar.

The Qualys Enterprise TruRisk Platform encompasses tools to:

  • Measure Cyber Risk – It aggregates cyber risk across Qualys and third-party products and their Risk Factors.
  • Communicate Cyber Risk – It translates disparate cyber risk data into common actionable insights and business impact metrics for key security and business risk stakeholders.
  • Eliminate Cyber Risk – The technology promises to eliminate cyber risk across the extended enterprise with precise remediation and mitigation actions.
IDC analysts on Qualys

Detailing the progression of the Qualys Platform for IT, Security and Compliance in a whitepaper sponsored by the company itself, IDC analysts Megan Szurley and Philip D. Harris suggest that, “What’s needed is a method by which prioritization considers the information about an asset within a configuration management database (CMDB), how it is categorized or classified, combined with other factors such as misconfiguration, threat landscape, the overall attack surface of the organization, various threat indicators and whether there’s active malware associated with the vulnerabilities.”

IDC also looked at the impact of Qualys on developers within interviewed organizations. As with the IT infrastructure team, developers benefited from having a consolidated applications control center within the Qualys platform. Qualys also provided tighter applications integrations, which ultimately increased the effectiveness of the team. 

Szurley and Harris also note that the Qualys Platform provides a continuous, always-on assessment of an organization’s global IT, security and compliance posture, with visibility across all IT assets in the estate. The platform brings a level of automation, built-in threat prioritization, patching and other response capabilities, creating an end-to-end security solution. The platform is comprised of several integrated modules including Asset Management, Vulnerability and Configuration Management, Risk Remediation, Threat Detection and Response, Continuous Compliance and Cloud Security. 

The Qualys team says that its customer base benefits from the use of high-quality functional modules, which increase security capabilities through greater automation of what were previously highly manual tasks such as patch management i.e. the process of augmenting software application code with additional ‘patches’ of smaller software components designed to increase application’s robustness, ability to stay online and available, or resilient to attach. IDC noted that Qualys reduced the frequency of unplanned application downtime, or outages and breaches from occurring, while also improving the time it takes to resolve a breach.