Sumedh Thakar, CEO of Qualys, discusses the company’s evolution from vulnerability management to comprehensive risk operations. He explains why organizations need a Risk Operations Center (ROC) separate from their SOC, focusing on proactive risk management rather than reactive breach detection.
Thakar talks about how Qualys is standardizing risk scores across vulnerabilities, misconfigurations, and identities to give organizations a single view of their security posture. He also addresses the balance between prevention and detection, the role of AI in accelerating security operations, and why profitability matters as much as growth in cybersecurity.
Key Takeaways:
• ROC focuses on proactive risk management while SOC handles reactive breach detection
• Standardized risk scoring helps organizations prioritize what actually matters to their business
• AI and agentic automation can help defenders match attacker speed
• Consolidation is possible without abandoning best-of-breed tools
• Risk management ultimately comes down to money: potential loss vs. mitigation cost
Chapters:
0:05 – ROCon Conference Introduction
0:27 – What is ROC (Risk Operations Center)
1:52 – Why ROC is different from SOC
3:43 – Rethinking prevention and detection
4:59 – Standardizing risk scores
8:54 – True Risk Score and prioritization
14:15 – Qualys Business strategy
16:05 – AI and agentic automation in security
Interview recorded at Qualys ROCon 2024