Philippe Courtot, CEO, Qualys
Q. What are the best ways organizations can address compliance and data security issues this year, given the challenging economic climate in which we all find ourselves?
A. We see within our customers a “go back to the basics” approach combined with looking for solutions that are more cost effective, such as SaaS and open source, while providing the same level of quality (you would not want, of course, a security solution that is inferior in quality – you could get by if some nice-to-have features are missing but would not want to compromise any must-haves).
Q. What problems or challenges is your company facing in the face of a declining economy and how are you and your executives going to overcome these?
A. Because Qualys has a pure SaaS model we are much less impacted than enterprise software solution businesses that all depend on getting new business to meet payroll. As long as our customers renew, we do not need to contemplate or implement layoffs. Currently Qualys has 210 employees worldwide and we are looking at adding 50 more people in 2009 (25 percent headcount growth). Of course, if conditions were to deteriorate further we would slow down our hiring.
Q. According to SC Magazine's research and many experts in the industry, the information security market may not see as difficult a time in this degraded economy as others since protection of data has become so critical to bottom lines. What are your thoughts on this?
A. While we see IT budgets being definitively reduced or just maintained, we see less pressure on the IT security side and most of our customers have been able to maintain their budgets and a few of them for specific reasons, such as compliance requirements, are being able to increase them albeit minimally.
Q. Speaking of data protection, we're still seeing a great many exposures of personal and critical information, the most recent and largest being the Heartland incident. Where do companies keep making the biggest mistakes in protecting their customers' data?
A. Keeping “the data safe” is not a simple task since in most cases the data needs to be used by multiple people in different locations. Having data in one place greatly simplifies good governance on the data and we see companies taking steps in this direction. While just a few years ago companies and particularly security professionals were reluctant to have the data be outside of their company, we now see a new awareness emerging as companies are realizing that migrating their applications to a SaaS solution allows them to have their data in a single place, better ensure that they know who accesses the data and what security measures being taken to ensure its protection.
Q. As we move through 2009, what will be the biggest threats IT security practitioners will need to be mindful of and what are the ways to best address these?
A. The challenge we see is the fact that while attacks are getting very sophisticated, most security teams are understaffed. Also there is a shortage of highly qualified security professionals and budgets are getting tighter. As we all know, difficult times encourage criminality and at a time when resources are scarce this presents a challenge. Although there is no sliver bullet to address all of these threats, it is still important that companies take additional measures to manage risk to sensitive data and not just stop at baseline compliance steps. With the sophistication of emerging and blended threats, security and compliance cannot be check boxes.
Q. What about the newest technological advances that companies are taking advantage of, such as virtualized environments or cloud computing, and other newer ways to conduct business – how should the ensure they are managing their data safely and securely?
A. While virtualization technologies may help reduce cost while providing more flexibility, they also introduce additional challenges to overcome from a security perspective (a vulnerability will then be spread much more easily and is harder to mitigate). Conversely, SaaS or cloud computing technologies, as long as the SaaS provider has made serious audits of the security infrastructure and processes in place, greatly simplifies security--it comes with the subscription-- while providing much more flexibility and significant cost savings.
Q. If there's one thing security practitioners and their bosses should be mastering when safeguarding their business, what would you say it is?
A. For companies with little security expertise, engage in an independent and pragmatic audit of the security and compliance posture of your organization and establish a “big vision” with a ‘small steps' implementation process for IT security and compliance. For companies who have mature security teams, encourage these teams to start looking at the value from a security perspective that Cloud Computing or SaaS technologies bring to the table, to help simplify and reduce the cost of security and compliance.