Qualys QSC 2023: Day #1 live report - keynotes & breakouts
Qualys kicked off the USA leg of its QSC (Qualys Security Conference) event this week in Orlando’s Swan & Dolphin resort.
While the families with their double-width push-chair (strollers) were busy heading out to the theme parks, the cyber and vulnerability software engineering cognoscenti – and the Computer Weekly Developer Network team – joined the company in its keynotes and breakout sessions.
While the world ‘security’ is indeed what Qualys is known for – and the term itself features in the actual event title – the company is now more widely known and regarded as a risk management platform company, so how does that technology proposition break down and how does the organisation validate its claims.
Qualys’ chief revenue officer Dino DiMarino kicked off proceedings and welcomed guest keynote speaker Rachel Wilson, managing director at Morgan Stanley.
Having worked for many years at the USA’s National Security Agency (NSA) and with a special tenure overseeing the UK’s 2012 Olympics, Wilson explained that during her time in London, she had seen all manner of hacks (all of which were thwarted) being attempted… among some strange activities from the Russians related to drugs, she noted that the Chinese attempted to hack the timing clocks.
Mushrooming threats
Now working at Morgan Stanley, she noted that all systems are as battle-proofed as possible through work in the ‘cybersecurity trenches’ to make enterprise software systems safe. Talking about why the threats from North Korea are now mushrooming, Wilson noted that one of the major hacking strategies emanating from the country is bank hacking, with an estimated 7,000 people now working on the programme.
“In the last month, what has really been giving me sleepless nights is Iran – we’ve all seen the ongoing war between Israel and Hamas… and we know that Iran is funding this activity,” said Wilson, who also explained how denial of service attacks are escalating.
Russia, ransomware, resilience and regulators are key Rs to think about, said Wilson.
It’s always interesting to see a company start its conferences with a guest speaker who is not an employee, but there was an obvious reason for Wilson’s compelling introduction i.e. with all this backdrop to think of as one arguably very impactful hors d’oeuvre serving to whet the audience’s appetite, Wilson gave way to the Qualys chief to allow the company’s technology to be positioned in the context of what are clearly widely dispersed and variegated cyber threats around the world.
CEO Thakar: De-risk business
Thakar took the stage to deliver his central keynote session entitled: The future of cyber risk management: aligning cybersecurity outcomes to business outcomes. With the ‘de-risk’ business theme emblazoned across all the event posters and placards, Qualys is clearly determined to explain why we need to think about how we elevate protection platform tools to a level where all risks are quantified and analysed – and subsequently remediated – with regard to how they impact an organisation’s security total posture.
Always affable and approachable, Thakar started with a respectful segue from Wilson’s section of the keynote.
He noted how much he particularly enjoyed the explanation of how ransomware attackers now instigate their attacks and even issue questionnaires after they have received payments from organisations that have been hacked – a kind of ‘how was your ransomware compromise experience?’ kind of approach.
Now looking to what he hopes will be an elevation of the way we all manage risk management with regard to any firm’s stance on cyber, Thakar reminded the audience that he understands just how big the threat from nation-state attackers is and why every business and indeed every person forms part of the potential threat target list.
““There is no value of security investment if timely remediation is not being performed,” said Thakar. “Today we know that everything is becoming important and critical – if the security teams get told that 700 things need to be fixed, then they end up not being able to do anything. Qualys has been looking at how customers are using its platform and detecting vulnerabilities – of the 2.6 billion detections found this year, 81% of them are classed as high-risk. With this huge number of things that need to be fixed, we have built Qualys TruRisk technology to be able to let users know which risks are actually being weaponised out there in the real world of the cloud and the web – when we apply this technology to that number, the percentage drops to 603 million today. So it’s all about telling the business how much risk it really has that is really being exploited.”
Looking at how companies should calculate their risk quotient and not take a silo-based view of their vulnerabilities, Thakar wants to provide technologies that provide a ‘meaningful view of the risks’ to the business.
Asset visibility
Because an estimated 30%+ of any given organisation’s assets aren’t visible, a key first step is working to get complete visibility of external and internal assets in the business. Spanning applications, IoT, SaaS, data, code, infrastructure, public cloud assets and more – firms need to be able to know what they have before they start to think about what to protect and, therefore, where risk exists.
Where this all brings us to is the question of whether chief information security officers (CISOs) are getting a seat at the boardroom table or not. Although that’s a tough question on its own, when these people do get to sit on the board, Thakar reminds us that they often find it hard to articulate the nature of cyber risk that the software application development team needs to be thinking about.
In answer to this challenge, Qualys explains how its platform helps provide a quantification of cyber risk that the business function can understand through its risk profile (through a score) and its context in relation to the business value of the application or data service at risk.
Risk measurement, articulation & remediation
With risk measurement, risk articulation, risk relevance to applications and data and the business and risk remediation all now crucial elements of the total process at work here, Thakar suggests that everyone in a business needs to be aware of the processes at work here. While it will be the risk professionals (and there are now many formalised job titles in this space) who act to fix things, a wider comprehension evolution also needs to happen.
NOTE: Interestingly, of 1000 (approx) attendees registered for Qualys QSC this year for the Orlando leg of this event, a perhaps comparatively small number (just 80) attendees had the word ‘risk’ in their workplace designation and job title.
Moving to announce the Qualys Enterprise TruRisk Platform, Thakar spent some time making his central product announcement. In short, the platform is designed to de-risk business assets through automation and acceleration of processes that have often been manually executed in the past.
“The Qualys Enterprise TruRisk Platform aggregates cyber risk signals from a wide array of disparate sources and correlates them into measurable risk insights using the unified TruRisk risk scoring framework. As a result, users are empowered with a centralized means of measuring, communicating, and eliminating their cyber risk with precise remediation and mitigation actions, supplying them with an optimized path to cyber risk reduction,” explained Thakar, in a personal blog covering the news.
The Qualys Enterprise TruRisk Platform is designed to provide a centralised way for a company to measure (and eliminate) its cyber risk. It arms users with the information they need to communicate their actual cyber risk posture to internal security and business risk stakeholders. Additionally, it provides external executive stakeholders, from the board to cyber risk insurers, with the necessary data they need to make the right decisions.
Mickey can wait, thanks
Wrapping up the day one opening session, Thakar mentioned his favourite new term ‘de-risk’ business once more and welcomed the attendees to visit breakouts and a a now formalised and well-populated partner pavilion at the show itself.
Disney World can wait, tell Mickey not today thanks… we’re deep in risk management.