What if the way your security team measures success is actually making you less secure? In this revealing conversation, a VP of Product Security challenges the fundamental metrics that drive most vulnerability management programs.
Alex Kreilein from Qualys breaks down why counting CVEs creates endless work without improving security outcomes, and what organizations should focus on instead. Speaking at Qualys’ newly branded Risk Operations Conference (ROCon), he shares practical frameworks that are changing how security and development teams work together.
This isn’t theoretical discussion. Kreilein walks through specific scenarios that security practitioners face daily, from interpreting SBOMs to explaining why developers resist patching, to understanding what actually makes attackers’ jobs more expensive.
What you’ll discover in this video
Learn why Software Bills of Materials (SBOMs) generate more noise than signal without a critical missing component. Kreilein reveals an open standards framework that transforms SBOMs from compliance checkboxes into actionable intelligence, and explains exactly how to implement it.
Discover the surprising reason developers don’t patch vulnerabilities quickly (hint: it’s not because they don’t care about security). The answer reveals a fundamental misunderstanding about what creates vulnerability debt, and opens up entirely new approaches to remediation.
Find out how releasing code more frequently can actually improve your security posture by attacking a core requirement that all successful exploits depend on. This counterintuitive principle challenges traditional change management thinking.
Critical insights for security leaders
Kreilein explains the difference between risk and vulnerabilities in a way that immediately clarifies why volume metrics mislead security teams. You’ll understand what to measure instead and why this shift matters for both security outcomes and team productivity.
The conversation covers practical applications of agentic AI in security work, but not in the way most vendors present it. Instead, you’ll hear how AI can address the root causes that prevent developers from remediating issues promptly, turning AI from a theoretical benefit into a concrete productivity multiplier.
For organizations struggling with compliance frameworks, Kreilein offers a perspective that reframes regulations as business clarity rather than burden. He distinguishes between compliance as a floor versus ceiling, and explains how this distinction determines whether security initiatives gain momentum or stall.
Technical frameworks explained
Watch as Kreilein breaks down VEX (Vulnerability Exploitability Exchange) and CSAF (Common Security Advisory Framework) using real examples like Log4Shell. You’ll see exactly how these open standards solve the context problem that makes SBOM data overwhelming rather than useful.
The discussion covers secure protocol design, using TLS evolution and WEP failures as case studies. Kreilein draws on his standards engineering background to explain why security teams need involvement in V1, not V2, and what that means for both internal applications and vendor selection.
Learn specific strategies for making security the path of least resistance for developers, including how test automation and reference architectures become security initiatives that engineering teams actually want to adopt.
Key questions answered
- Why do security and development teams struggle to collaborate effectively?
- What makes an application too brittle to patch safely?
- How can organizations move from vulnerability management to risk operations?
- What role should compliance play in security strategy?
- Why does ephemeral code make attackers less successful?
- How do SBOMs benefit developers differently than security teams?
This conversation offers specific, implementable approaches to persistent security challenges. Whether you’re managing a security team, leading development organizations, or working in DevSecOps, you’ll find frameworks and perspectives that challenge conventional thinking and provide clearer paths forward.