Qualys ROCon 2025: Day 2 - Balancing risks across innovation & compliance

Non-ROI remediation

A working example that Qualys CEO Sumedh Thakar gave when speaking to the Computer Weekly Developer Network at this show ran as follows…

Let’s say a company could spend £50,000 on remediating a critical vulnerability when users access Excel files, or the same amount on fixing a misconfiguration in a cloud application deployment. The issue in these Excel files is rated critical, so it would normally get priority. But in the real world, the issue only surfaces when users have “macros enabled” in live Excel applications and the company has a usage policy of “macros automatically not enabled”. That vulnerability should never logically surface or pose any risk.”

Remediating and fixing that vulnerability would not provide any identifiable return on investment (ROI), so the risk does not justify the cost.

Fireside chat

The next session at this event was entitled Fireside Chat: AI Agents at Work: Balancing Innovation, Risk, and Compliance. The session was run by Dilip Bachwani, CTO and EVP for Cloud Platform at Qualys who spoke with Jim Reavis, CEO for the Cloud Security Alliance.

Talking about the loosely coupled architectures that agents can now work within to apply risk operations management actions, Reavis said that there are still a lot of humans in the loop. Bachwani edged towards the next reality where these agents start to work more autonomously and said that although, yes, generative AI will give you a nice summary of an organisation’s security posture… CISO’s today realise that if they ask the same question on two different days, they would be able to know that they would get the same response – and that’s a reality that is unlikely as we stand in 2025.

“Breaking down tasks into multiple agents (generally) enables agents to provide more deterministic (and therefore more secure and more accurate) responses,” said Reavis. “We’re really starting to see the impact of that inside working security teams today. But [it’s early days and there is a lot of experimentation, so] maybe natural language is not always the best way to interact with these systems; we’re seeing the emergence of platforms in the space that are yet to be standardised. There are many practices that we need to build around the coe agentic capabilities that are out there that we now need to optimise and formalise.” 

Bachwani urged the audience to consider the state of the attack surface that exists in modern software applications today. With so many things to consider from data leakage to language model status, the suggestion here is that continuous monitoring is no longer a nice-to-have, it’s a must-have element that must be present in the modern IT stack.

Partner panel

Day 2 at Qualys ROCon finalised its morning session with a partner panel focused on analysing managed services offerings for ROC. 

Speakers included: Chris Catanzaro, VO of global channels & alliances at Qualys; Furey DiDomenico, principal security architect at GuidePoint Security; Neel Sata, co-founder and GM for cyber, ImagineX Digital; Lance Seelbach, director for cybersecurity Americas at DXC Technology; Johnny Shaieb, exposure management delivery manager and chief architect at IBM; Nathan Shock, global director of security operations for Kudelski Security.

“We first started working on risk with customers, around the kinds of problems that their teams had to manage,” said CTO Bachwani, in a summary interview related to this event. “They told us that they needed to prioritise better… and that they needed help on where to focus and where they wanted to take their security processes. We went through a co-creation exercise that examined how customers should not just use their initial vulnerability management data (because that meant teams would just go fixing vulnerabilities based on CVSS rating scores for what was high or critical rated)… and so address those issues that might not be critical to them. Instead, we helped our customers apply threat intelligence data and business context data to make decisions based upon risk factors. With that information, organisations can gain that ‘focus on this first’ factor.”

Bachwani reminds us that no organisation is going to use a single vendor for everything – they will (in security terms) most likely have CrowdStrike, Prisma, Check Point, Aqua and other vendors that provides them with data.

“We want to take that third-party data and use it alongside all the threat intelligence streams that we have coming to us. For enterprises, they don’t want to be told that they have 500,000 issues to fix, they want to know the 5,000 or the 500 issues that are the most pressing in their systems,” said Bachwani. “This is a proactive approach – while companies might have a security operations centre (SOC) that they would rely on around for reactive incidents and security data coming in, we want them to have a risk operations center (ROC) that works alongside in a far more proactive way.”

He says that the ROC is the “bridge around cyber issues” and potential risks, not just incidents and issues taking place.

Key takeaway: a new change frequency

As we look to the future and start to understand how we need to work with the new “change frequency” that will exist in enterprise software in the future, we may see well-known brands refactor significant proportions of their codebase on an almost daily basis… as the elements of risk operations management shift towards more autonomous controls at this level, new benchmarks and standards will emerge.

Dilip Bachwani, CTO and EVP for Cloud Platform at Qualys (left) spoke with Jim Reavis, CEO for the Cloud Security Alliance (right).