Q&A: Qualys CEO On Why Legacy Security Companies Won't Cut It In Cloud-First World

Courtot On The Record

When it comes to the cloud, customers and partners are all-in when it comes to security. That's what Qualys CEO Philippe Courtot said in an interview with CRN around the company's Qualys Security Conference, held in Las Vegas last week. Courtot said that attitude is a vast departure from years past when the cloud was seen as insecure and was not widely embraced by enterprises. Today, Courtot said, customers are finally jumping on board and looking to embrace a new world of cloud-based security solutions to match their digital transformation goals. For partners, Courtot said, that means a new world of opportunity for those able to pivot their businesses and services to meet new security requirements. Take a look at why.

How have you seen perceptions changing around the cloud and security?

It look a long time for the security industry to understand that the cloud was not something they should be against. Instead, it is something they should use to build an architecture… And now the challenges are: how do you secure that environment?

It is very clear that just like you couldn’t secure a mainframe security environment with client software, you cannot secure a SaaS environment with out-of-date software. Now, finally the market is realizing this. What we have been doing – very silently in a way, one customer at a time – is building a very large and loyal customer base with our vulnerability management solution, where 70 percent of the Fortune 50 and about 40 percent of the Fortune 1000… have essentially adopted the Qualys Cloud Platform and we are selling to them additional services. On the one hand, as we consolidate the plethora of enterprise solutions that they have and at the same time you also enable them to build the security into their digital transformation… We have a very powerful model… The days of bolting on security are coming to an end.

What changes are you seeing around customer buying patterns? Is it easier to have conversations about cloud-based security than in the past?

Absolutely. What was happening in the past is that everybody in the industry was saying that you didn’t' want to have your data in the cloud and it is very dangerous… This is essentially what happened with Siebel Systems. Everybody thought CRM was too important and nobody can put that data outside of the company [in the cloud]. That's wrong. The same thing is happening here.

We saw the change in mentality a couple of years ago… It took us a long time to get there because of the complexity of building the backend… Security was always an issue of accuracy but it has become one of scale and an issue of immediacy. You need to have a powerful solution that can sift through a lot of data very quickly… Then we are building applications on top of it so we can consolidate… We now have more arrows in our quiver to displace these enterprise security solutions… We took the longer road but we were patient. Now, today we have a fantastic customer base that is very loyal and a model that as long as customers renew we can live forever and if we can sell them additional services we can grow forever. That is our model.

What changed customers' minds about cloud-based security?

I think today there are two factors that are accelerating the mind shift. The first one is that the bad guys have been able to go beyond just monetizing their breaches. They are now - and it was very evident with WannaCry - they have been able to cripple companies… On the other hand, you have the regulators who are reacting to that and making the regulation more stringent to the point where with GDPR the burden of proof is reversed. If you have been breached, you have to prove to the auditors that you have been a good guardian of the security and the privacy of the data of your customers. If you cannot prove that, they have the ability to fine you up to 4 percent of your revenues… That is now making security front and center at the board level… What is the solution? The solution is trying to insure the risk if you can. The second solution is, if there is a better way to leverage new technology – which we need to do anyway – to make our business more agile, then could we not build in security and do it right in the first place? We could spend our money there rather than trying to bolt on security. What about building in security? That's our vision.

Do you feel more competition as other security vendors move to offer platform and cloud-based security offerings?

It's very difficult. Do you see any mainframe companies moving into the mini-computer, and then the mini-computer companies moving into the client server? It's a total re-architechting of the solution. It is also a very big change in the business model. It's a huge undertaking. If you go back to the mainframe, there is only one company who did it successfully and that was IBM… The other company that is doing that same transformation – and they should be applauded – is Microsoft. They essentially with Azure have absolutely retooled their business. Of these traditional enterprise solutions, Microsoft is the only one I see today which has been really able to essentially re-architect.

When it comes to partners, are you also seeing penetration down to mid-size partners from the enterprise?

Absolutely. We believe we see a really unique opportunity to expand our offerings to the managed security providers and also all of these mid-market partners. That's something we're really looking to create some programs around because we are so well packaged and easy to distribute. We have customers with the same platform in large enterprise, midmarket, and SMB. We have seen them be very successful as well.

How far along is that push? You said you were almost a secret in the industry and I frankly don't hear Qualys come up a lot with partners?

This is going to be in the midmarket. That's much more new. The way we have been doing the midmarket is more selling directly to them. That is what we have been doing. But, gradually… now we are looking at expanding our channels in the midmarket. It's interesting. That entire industry is moving… Qualys is also very well positioned there because it is very difficult to create metrics if you have a plethora of security solutions that Qualys can consolidate… That is what you need to do in security. Today, our current infrastructures are pretty open to the bad guys. It's a huge effort. Part of that effort is your digital transformation because it is easier to build the security into your digital transformation effort and make it better and more affordable than try to add to your current network this kind of security bricks that are hard to install, deploy, and each of them require their own infrastructure.

Do you see a lot of customers starting to invest in GDPR? Or have we not hit that growth wave yet?

GDPR is absolutely a huge thing because every global company today does business in Europe. That means they all have to pay attention to GDPR… The more profound thing is that it gives them the impetus to accelerate their digital transformation… The train has left the station. You will see that more and more becoming the new norm. For the channel… they absolutely have to add to that… Those who fail to do it will gradually disappear. That's what will happen over time. Whenever you have a massive computing shift, the first ones who evolve faster are the channel. I think we have entered that phase, as well. Another reason why we're more interested in the channel is that in the early days the channel was not interested in Qualys. They saw us as the people threatening their business because it was easier to install so they were less interested because that meant less work with Qualys. Now, today they should see us as an enabler to help them essentially change this model so they can absolutely offer those services around it.