Qualys

What do serial recovering CISOs do on vacation? They present to they National Institute of Standards and Technology (NIST) Cybersecurity and Privacy Board. NIST has taken a deep interest in modern approaches to cybersecurity risk management and measurement. Which is great! But there is one problem... It can be a heady topic if disembodied from reality... Its very technical under the hood computationally speaking... And while the technical stuffs are necessary... Its my job (challenge) to keep it connected to the real world... With real world applications and war stories (lots). That is why I have opted to frame the outline as such for my friends at NIST: - Where Your (new) Job Lives - The Job Of Measuring Attack Surface - The Job Of Measuring Risk Surface - The Job Of Engaging Business Stakeholders Stay tuned for other public opportunities to participate in these discussions.... And if you happen to be a Qualys customer, prospect, or related... Feel free to DM me to arrange a briefing. #nist #ciso #cybersecurityriskmanagement #metric #informationsecurity

#KubeCon is just one week away! Join us November 12-15 at booth Q44 where our team can help your organization de-risk your K8s and containers. https://lnkd.in/dbMzgXH

Qualys Q3 earnings highlight a strong quarter of innovation, underscoring our commitment to technology leadership, long-term growth and best-in-class profitability. #DeRiskYourBusiness

Sam Salehi, Managing Director of Australia and New Zealand Qualys, shares his insights on the evolving landscape of #cyber risk management, #cloud migration, and the transformative role of #AI in #cybersecurity. Read more here. https://lnkd.in/gUCdjHzC

Two days away! Join us on Nov. 7 for a #webinar introducing advanced strategies for vulnerability management featuring concepts like “patchless patching,” that balancing security and operational needs. Register now for “Beyond Patch Management - Exploring Patchless Patching for All Vulnerabilities.” https://lnkd.in/gktFSHMH

A productively skeptical CISO quipped, "What is a Risk Operations Center and why on earth would I want one!?" My pithy zen koan like retort, "Between value creation and loss exposure lives the ROC – keeping risk within tolerance." That must be a dissatisfying answer for the concrete sequential leader. I will unpack it for you..at least in small part. First, a ROC consumes full stack, hybrid, multi-vendor "risk telemetry." IT, OT, Cloud Native… Asset, Identity, Threat, Vuln etc. (TECH NOTE: A SIEM consumes "event telemetry" and does rudimentary time series data analysis. It can be fed into a ROC Platform. ROCs do stream ingestion as part of ETL. But ROCs mainly persist data in Graph, OLAP, and some OLTP structures (last for workflow etc).  This is due to its high context, change analysis, aggregation and reporting requirements) Second...ROCs normalize similar asset types and risks (vulns, threats etc)… And rationalize disparate scores. Scores can be aggregated based on asset grouping like: Application, Crown Jewel, Business Unit up to Enterprise. Good ROC scoring is relatively noiseless… That means it is consistent when underlying heuristics are consistent… And discriminating when underlying heuristics change. (TECH NOTE: A score is an index over a set of related heuristics...think credit scoring. In that sense, all scores "aggregate" information. But their function is to rank order our "Operational Attention." Note that a score of 10 is not twice as much "score stuff" as a score of 5...it’s not a temperature, weight and etc. ) Third...a ROC prioritizes risk using both operational scores and business impact…in fact they get integrated. Business impact is tied to asset... And impact is measured in Money. This is often at the crown jewel and or business unit level – but not exclusively. ROC algorithms use monetary values to inform "importance scoring." (TECH NOTE: A ROC is not CRQ. You can think of CRQ as a capability within a ROC. A ROCs main job is to prioritize operational work in a capital and operationally efficient manner.) Fourth…a ROC without action is “Yet Another Dashboard Again” (yada yada yada) A ROC should help you buy down risk (in a capital and operationally efficient manner)...ultimately through actions. That means remediation and mitigation integrations are a must… Be it executing automated change based on policy-as-code… Or “person-in-the-middle” enabled workflow… Fifth, a ROC makes keeping risk within tolerance "Explainable to business stakeholders and achievable by operators." This post focused more on the "Achievable By Operators"...by explaining ROC components. The next post will be on "Explainable To Business Stakeholders." So stay tuned! #ciso #riskoperationscenter #roc #crq #cybersecurityriskquantification #informationsecurity

Learn how Cintas leverages the Qualys Enterprise TruRisk Platform to protect over 23,000 devices worldwide and to communicate risk to its internal stakeholders. Sign up for the free trial to see how Qualys can help you hashtag#DeRiskYourBusiness. https://lnkd.in/g96zsEcp

Qualys India celebrated Diwali with classical music, games, delicious food, and incredible live music! It was a joyful occasion for #TeamQualys to come together and embrace the spirit of Diwali - unity, light and celebration. Wishing everyone a bright, prosperous, and joyful Diwali! #LifeAtQualys

Today we had a spook-tacular day at Qualys UK - Reading office and a costume contest at our Raleigh office as we celebrated Halloween! From creative pumpkin carving to enjoying sweet treats, our team was embracing the spirit of the season. We’re grateful for a team that’s all in, whether it’s achieving business goals or celebrating together. #HappyHalloween from Team Qualys! #LifeAtQualys

We are excited to introduce three powerful new features in Qualys TotalCloud #CNAPP that enhance threat analysis and context, simplify a scalable response, and accelerate time to value. Learn more in our latest #blog. https://lnkd.in/gx9aQhRR