B (13:56)

Even within the last few months the conversation has shifted from oh my God, I'm concerned my users, my employees are using AI. I want to find out who's using these AI tools in six months. Now you are saying, well I'm concerned the employees that are not using AI. So it's like, can I get a report of everybody who's not using AI now? Right? And so I think that's very valid. Those are valid questions. And just like with any technology, the security aspect, the cyber aspect, the privacy aspect need to be looked at. And I think the developers of these technologies and the vendors have to put those guardrails answer the questions. And they do have to make sure that they put, you know, that level of comfort with the customers.

A (14:40)

Well, welcome. We are here at RSAC 2026 and it is my pleasure to welcome Sumed Thakar, who is President and CEO of Qualys. Welcome.

B (14:51)

Thank you for having me.

A (14:52)

I want to start off just sort of getting a level setting reality check from you. We're seeing a lot of change in the industry. I don't have to tell you what the hot topic is this year. Everybody knows what it is. But how as an organization do you Adjust to those changes with the products that you're presenting, how they evolve, and how you make sure that you're responding to what customers are asking for.

B (15:17)

Yeah, that's a great question. And not to age myself, but I've been at Qualys for 23 years and I started 23 years ago working on vulnerability management. And so all we have seen in the last many years is just a continuous change in the industry. And I think the rate of change has just accelerated in the last few years. But you know, having done this for a long time, when I take a step back, I feel like there's always going to be some new hot thing that people are going to run after. But if you take a step back and you look at what is cybersecurity. Cybersecurity is essentially a risk management exercise for a company to not have financial loss from a cyber attack. And I think what happens is that many times we don't articulate what is at risk. And the point is that if you don't know how much loss you could have, how could you figure out how much you should spend on reducing that loss? So technology will change, new technology will come. Virtualization was pretty hot 10 years ago. Then five years ago, cloud became a hot thing. And now AI security is going to be hard and two years from now Quantum will be hot. But the question to ask is how does this new technology bring additional risks to my business and how much loss could I have and how much should I spend on that is really the key point. And that's where we have seen the evolution. It's less about the individual hot technology coming out and is more about creating a framework and a platform that is allowing our customers to do overall risk management and operationalizing that risk with the concept of a risk operation center. A rock. Just the way we have done for a SoC, which is a post breach. How do we proactively create, help our customers create a risk operations center that actually gets things fixed? The most important dollar you can spend in cyber is actually getting things fixed. Otherwise you're just doing dashboard tourism by building more dashboards. And we're not getting anything fixed.

A (17:16)

Right, Right. Well, I mean, it strikes me that that's really part of the relationship aspect that you as a trusted partner to help your customers, your clients understand what their risk exposure is. Is that a fair way to describe it?

B (17:35)

I think ultimately if you say that cybersecurity is a risk management exercise, then the real metric is not how many findings you had and how many findings you fixed. Is how much risk of loss did you reduce by spending that money in cyber? And so as we have been talking to customers, we're hearing more and more of that is like, there is a detection fatigue where too many detections are coming out, not enough remediation. And the report we put out about the broken physics of remediation is you have the detection fatigue. Not enough things are being fixed, not enough things are being fast enough. And the attackers are leveraging newer technologies to just attack you faster. And so you kind of are under this pile. And so when we start to look at it, which means by definition, you don't have enough budget to fix everything that is detected, which means prioritization is not an option. And now when you start to talk about prioritization really comes down to what is the most important thing that you should look at? Well, the most important thing is what causes the most risk of loss. So really listening to our customers is all about, I don't have enough resources, tell me, what is the thing I should fix that is going to reduce the maximum loss?

A (18:43)

When you're talking to your customers and your partners, when you're walking the show floor here at the RSA conference, what are you hearing in terms of the pain points from the CISOs out there, the decision makers? What are they telling you?

B (18:57)

It's interesting because if you, and you know, in the industry, there's a lot of like, well, all these studies come out in what are the CISO priorities? But then the CISO priorities are not necessarily the CISO pain point. So that's interesting because the priority will be, I need to look at AI security, I need to look at cloud security, I need to look at. But they're always looking for something new that they have to look at because some new IT technology has come around. But if you ask a CISO what is your personal pain point in your job, they say, okay, I have to pick a cloud technology. I'm going to have my team look at three vendors, they're going to do an analysis and they'll pick something and then we'll negotiate the price. That's not necessarily a pain point. That's a priority. That's not a pain point. Pain point. The pain point is going to my CFO and asking for more budget. And the CFO asks, well, so what do I get in return? Because the AI team is asking for that money, Should I give it to the AI team who's saying that we will increase the top line by 3%, or should I give it to you and you are saying you cannot even tell me if you're going to reduce the risk by five times, one time, three times. So their challenge is how do I report to the board? They go to the board, they cannot explain the value of what they're doing. They're talking about alerts and detection. How many detections? That doesn't mean anything to the board. Even if you tell the board that we fixed, we applied 75,000 patches, what does that mean to the business?

A (20:23)

Once again this year we spent all this money and good news, nothing happened.

B (20:26)

Right. But that's not necessarily the way to look at it.

A (20:30)

Right.

B (20:30)

So that's their pain point. When you Talk about the CISO's job is one part is like I want to make sure that I am putting the right solutions for the company. But the teams are taking care of that. That's your priority. But then they personally, they're really just trying to figure out how do I balance this detection fatigue with not enough remediation and articulating the value and really becoming a business partner. Otherwise the CISO ends up becoming the person that's always saying no and not giving good explanation why it's a no. Right. So how do they evolve from that to be a business friendly ciso? How can you go and say, look, we're gonna operationalize our risk management with that we are reducing the number of things we are fixing and by that I'm giving four hours back to the IT team every week, which amounts to $10 million being given back by not fixing things that don't matter. Right. Those are the conversations that really what they would like to have. They get personally excited about that, of course, picking a new technology, they are gonna pass that off to their team.

A (21:29)

Well, we're here at RSAC 2026 and of course the hot topic is agentic AI. What are your insights? Where do you think we are and where do you think we're headed?

B (21:40)

I think it's very exciting the opportunities that agentic AI is bringing because if you look at every report in the history of cybersecurity, last 10 years has always talked about a lack of talent or lack of trained resources in cybersecurity. And so we are already coming in where we had a big gap of the number of people that were available in cyber that were trained to actually achieve the goals that the businesses were looking for. And so agentic AI has brought out the ability to leverage this new technology and simplify and significantly reduce the number of resources that were required to achieve those goals. Right. A Lot of time. And this alert fatigue and detection fatigue has been there because it's not that the volume was the problem is the amount of stuff that was wasted in that volume makes people fatigue. Right? Like, it's like, okay, I spent three days triaging all this, and I found nothing that's more fatiguing than, hey, we were actually able to do a lot of this stuff. And so I think the ability to have agentic AI, and this is something that we have done a little bit differently, where we talk about kind of having agentic AI named Cyber Risk Agent on the platform, where, like, there are six agents available. Each agent has a name and a Persona, and they have a skill set in cyber. So today, talk to any ciso. Patch Tuesday is still there. People have to take care of Patch Tuesdays. We have Agent Sarah, who is a Patch Tuesday agent. So the way the CISOs look at that is I have a team of 10, and now I'm augmenting them with six AI agents so that my team now is spending less of their time doing these kind of tasks, and they are leveraging Agent Sarah to do a lot of the tasks that needed to be done. And so in that sense, it's actually, we're able to get better outcomes quicker with agentic AI. And so I think that this is going to be a real game changer for us to stay ahead of the attackers. Now, attackers are not sitting back. They're also using AI, and they're also automating and using agentic AI for the attack. So it's almost like we don't really have a choice at this point but to also leverage AgentIC AI to be able to work with the. With the attackers and empower the defenders. The reality, though, is that it's easy to say how many CISOs are getting the budget to build out their own AI team. And even if they get the budget are the resources available in AI. And I think that is where the vendor community here is very important, that the vendors are partnering with the CISOs to provide them this agentic capability as part of the platform so that the adoption of agentic AI does not need these CISOs, all of them, to start to build out their own teams. They can actually leverage the capabilities that are out there to achieve those goals quicker and faster.

A (24:29)

Are you sympathetic to the folks who are expressing concerns that, you know, how are we going to put proper guardrails on this? How do we make sure it doesn't spin out of control and take the company with it?

B (24:42)

Yeah, I think those are fair questions to ask. Right? Like with any technology, I mean, if you look at how much resistance we had for the cloud, the big people were like, oh, no, never. I'm never going to put my data out in somebody else's data center. What are the guardrails? What if this happens? What if that happens? And then a few years later, once those questions were answered and people started to feel comfortable, now cloud has become fashion statement. Right? It's not an optional thing anymore. Everybody has to be in the cloud. And so I think, like with any technology, any new technology, I think the concerns are valid, the questions are valid, and getting insights into where is the data coming from, where is my data going, how is it training, how accurate are the answers? Putting guardrails, making sure that there is no jailbreak, there's no exploitation of that. I think those are all important questions, but I don't think that any of those questions are going to really stop the progress of AI. I think there will be regulations, there will be some guidelines, et cetera. But even within the last few months, the conversation has shifted from, oh, my God, I'm concerned my users, my employees are using AI. I want to find out who's using these AI tools in six months. Now you are saying, well, I'm concerned the employees that are not using AI.

A (25:56)

Right, right.

B (25:57)

So it's like, can I get a report of everybody who's not using AI now?

A (26:01)

Right.

B (26:01)

And so I think that's very valid. Those are valid questions. And just like with any technology, the security aspect, the cyber aspect, the privacy aspect need to be looked at. And I think the developers of these technologies and the vendors have to put those guardrails, answer the questions. And they do have to make sure that they put that level of comfort with the customers.

A (26:22)

Samed Thacker is president and CEO of Qualys. Thank you so much for joining us. It's a real pleasure.

B (26:28)

Thank you very much. Great conversation. I appreciate that.

A (26:35)

There's a lot more to this conversation than we have time to share here, so please check out the full unedited interview. You can find a link to that in our show. Notes. Most environments trust far more than they should, and attackers know it. ThreatLocker solves that by enforcing default deny at the point of execution. With ThreatLocker allow listing, you stop unknown executables cold. With ring fencing, you control how trusted applications behave. And with ThreatLocker DAC defense against configurations, you get real assurance that your environment is free of misconfigurations and clear visibility into whether you meet compliance standards. ThreatLocker is the simplest way to enforce zero trust principles without the operational pain. Its powerful protection that gives CISOs real visibility, real control and real peace of mind. ThreatLocker makes zero trust attainable even for small security teams. See why thousands of organizations choose ThreatLocker to minimize alert fatigue, stop ransomware at the source and regain control over their environments. Schedule your demo@threatlocker.com n2k today foreign. When it comes to mobile application security, good enough is a risk. A recent Survey shows that 72% of organizations reported at least one mobile application security incident last year and 92% of responders reported threat levels have increased in the past two years. Guard Square delivers the highest level of security for your mobile apps and without compromising performance time to market or user experience. Discover how Guard Square provides industry leading security for your Android and iOS apps at www.guardsquare.com. And Finally Yesterday, for a brief and sorrowful moment, I believed Jonathan the giant tortoise, aged 194 and still fond of bananas, had passed away. Multiple outlets reported his death after an X account posing as his longtime veterinarian claimed the world's oldest known land animal had died. According to reporting later confirmed by the Guardian, the real veterinarian does not use X and the impersonator was soliciting, wait for it, cryptocurrency donations. Officials on The island of St. Helena verified Jonathan was in fact asleep under a tree and very much alive. The governor reports Jonathan is still grazing, still fond of bananas, and still ignoring global drama with admirable discipline. If there's a lesson here, it may be to verify sources and then take a nap. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cyber security. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's lead producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our contributing host is Maria Vermazes. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.