Spotlight: Philippe Courtot, CEO of Qualys: We Need to Change How We Do Security

In this Spotlight Podcast*, Philippe Courtot of the firm Qualys discusses being an early innovator in the software as a service space and how the market for cloud based security services has evolved since he launched his firm, Qualys, almost two decades ago. 

If you walked the trade show floor at last week’s RSA Conference as I did, it is easy to forget that cloud-based security used to be considered so far out as to occupy the realm of science fiction. As recently as 10 years ago, many otherwise sophisticated firms were of the opinion that, no matter the benefits the cloud bestowed on= other business functions, security was a bridge too far.

Philippe Courtot saw things differently. Just months after Mark Benioff stood up his hosted customer relationship management (CRM) platform,, Courtot launched his firm Qualys, which took what was at that time relatively new security function – software vulnerability management – and ported it to the cloud.

[Also listen to: Podcast Episode 93: Talking GDPR with Cisco’s Chief Privacy Officer and RSA 2018 Recap]

Philippe Courtot is the CEO of Qualys.

No good deed goes unpunished. Well ahead of the SAAS (or “software as a service”) market, let alone the security software as a service market, Courtot would spend the next 10 years evangelizing not just for his company, but for the grander notion that companies of all sizes would be better off swapping out their expensive and hard to manage physical IT assets for managed cloud services.

His evangelism involved creating not one but two industry groups: the Cloud Security Alliance, to promote cloud based security and a group called the CISO Interchange to help evangelize the notion that vulnerability management was a critical security function, not a nice to have.

It wasn’t easy.

“I was not well received. I felt like Galileo trying to convince the church that it was the Earth that revolved around the Sun and not the other way around,” he told me. “Thank God, though, that we live in America and I did not have to abjure and I was not put in house arrest for the rest of my life!”

Security as a service took a long while to gain adoption – perhaps longer than Courtot had bargained for.
“It took much longer than I thought,” he told me. Still, history has proven the CEO right. Vulnerability management is a sanctioned and – in fact – mandated security function. Cloud security is front and center as organizations of all sizes migrate critical functions to reliable, managed cloud services like Amazon Web Services and Microsoft Azure. Qualys is a publicly traded company with a $3 billion market capitalization.

Courtot said that the kind of security tools companies use will need to rely more on automation and centralization, akin to how the home security market has come to rely more on remote sensing, cloud and automation. “Look at the way we secure our homes: we have sensors that manage our home and our home security. They can notify the cops or the fire marshal. (Enterprise) security will have to be that way,” he said.

I caught up with Philippe at the RSA Conference to record this special spotlight podcast. In it, we talk about Qualys founding and growth, the tremendous changes in the security industry in the last 15 years and about his latest initiative: the CIO/CISO Interchange, which is about educating C-level executives about how to enable digital transformation in their own organizations.

(*) Spotlight podcasts are custom recordings that are offered as a premium service by The Security Ledger. To schedule a Spotlight podcast for your firm, please use the contact page to send an inquiry. 

Comments are closed.