Philippe Courtot Unifies Security Services at Qualys

Qualys’ chairman and CEO reveals the vision behind the cloud-based security and compliance provider’s transformation into a one-stop shop for its customers

The imprint of 3.7 billion internet users deepens and complicates the virtual world with each passing second. In fact, the web today is more unstable than ever before—and that means businesses online are more at risk. Security gaps emerge at a pace so rapid that the split-second new defenses quickly become old. So how can the IT infrastructure supporting today’s digital businesses adapt in sync with the constant flux? That’s the billion-dollar question on the minds of cybersecurity teams everywhere. Yet Qualys has an answer: one powerful automated platform to continuously protect everything the internet touches, and more. While protecting devices, apps, and networks from hackers 24/7 seems like a tall order, Philippe Courtot knows simplifying the process is exactly what today’s companies need.

His organization, Qualys, delivers on that vision. Qualys went public in 2012 as a subscription-based cloud service that enabled organizations to identify security risks to their IT infrastructures, and help protect their IT systems and applications from cyberattacks. Its Qualys Cloud Platform now enables its customers to identify their IT assets both on-premises and in the cloud, collect and analyze IT security and compliance data, discover and prioritize vulnerabilities on any device, recommend remediation actions and verify the implementation of such actions.

“We blurred the cloud versus on-premises service,” Courtot says, “creating a new intelligence model where smart devices or sensors, which are centrally managed and self-updating, gather and send data across the internet to a powerful cloud-based back-end residing either on-premises or in the cloud. This is the new architecture that’s taking over.”

Thanks to the Qualys Cloud Platform’s single interface and the billions of data points they index on elastic search, it’s much easier to see in seconds weak spots and prevent cyberattacks across all IT assets whether on-premises, on end-points, or in the cloud. It’s security for digital transformation made simple by building in it rather than bolting it on, and that simplicity appeals to customers: Qualys now secures more than 9,300 businesses in 120 countries—including 70 percent of the Forbes Global 50.

A History of the Customer-First Approach

Courtot, a serial entrepreneur who built and sold three companies and took two others public before joining Qualys, plays a crucial role in these advances. Today, as the company’s chairman and chief executive officer, he’s working to reduce the cost and complexity of IT security while tuned into the ever-evolving needs of Qualys customers. It’s what led to the company’s transition from bolt-on to built-in security. Courtot likens it to home security. “In the past, you had locks on doors, and if an incident occurred you had to physically discover a missing or broken lock and then call the police,” he says. “Now, our built-in cloud model is like having sensors throughout your home that you can manage from your cell phone.”

Born in Dax, France, Courtot earned a master’s degree in physics at the University of Paris before moving to the United States in 1981. For the last thirty-one years, he’s lived in Silicon Valley, where he has helped build ten startups into multimillion-dollar companies as CEO or as an angel investor. His early successes include the e-mail program cc:Mail, which he took from $2,000 to $55 million, and his next company, Signio, which he sold to VeriSign for $1.3 billion.

Courtot has led Qualys as CEO since 2001, and the company still continues to actualize his vision of a one-stop shop for cybersecurity. In recent years, Qualys’ growth outpaced the industry average and ranked as the market-share leader, according to an International Data Corporation report last year. Its successes also earned Qualys the top spot on several best security company lists by SC Magazine and Frost & Sullivan.

For the CEO, the customer-first culture at Qualys plays a crucial role in its success. The innovation headquarters based in Redwood City, California, houses engineers who strive to understand how their work directly impacts users. “You need to have people who care about the customers and essentially want to make their lives better,” says Courtot, who aims to differentiate Qualys from what he refers to as the often “predatory” industry. “Managing is easy. What’s difficult is always pushing the envelope for the customer and learning from your mistakes,” he adds.


Hiring for the Individual

While the demand for talent in Silicon Valley is high, Courtot explains that Qualys also looks abroad. Sourcing from under-the-radar talent pools in India, for example, has proven most effective. “Unlike most traditional companies who go to India for the cost, we went there for the talent,” he says. “We could clone our cloud services structure in India. In doing so, we really empowered them to be creative.”

When hiring, Qualys prioritizes what Courtot calls “the inherent fabric of the individual.” He says people who are eager to contribute, who are transparent, and who assume their responsibilities can excel at Qualys; those who only pretend do not. And while expertise is important, the culture fit is key. “I would rather take someone with a very good attitude who maybe doesn’t have as strong domain skills but could learn,” he says. “Then time works for you instead of working against you.”

Members of the small, yet ultra-efficient team spearhead their own initiatives within the cloud environment, swapping red tape for creative flexibility to improve user experience. For example, Courtot considers customers as design partners and cites how they were having a difficult time locating and managing digital certificates. “That became a use case,” he says of how Qualys came to add Certificate Inventory and Management Cloud Apps. “First we ask if we have the right sensors and computing power to analyze it. If there are missing pieces, we go and we build it.” Then the platform integrates the solution directly for users.

Agility and Accuracy Improve Security

Such agility produces results: customers can view Qualys Cloud Apps on a customizable dashboard to view protections for IT systems and web applications on premises, on endpoints, and on elastic clouds. Prioritizing user accessibility also inspired Qualys to offer native integrations with the third-party cloud platforms of Google, Microsoft, and Amazon. That flexibility permits much-needed scalability in the IT security space, Courtot explains. The infrastructure also allows each company to “try and buy” applications and expand coverage only as needed. “Our efficient model has eliminated hundreds of thousands, if not millions, from the IT security budgets of our customers,” he says.

Accuracy has always been the first challenge of security, but now Courtot says the second and third challenges are rapidly emerging: scale and immediacy. “You have to look at all of your devices. It’s not like the old days when you could just look at only the internet-facing devices or a few critical servers,” he says. “Everything is becoming interconnected. You need global visibility and the ability to take immediate action is important.” It’s the big difference between Qualys and enterprise software. In the cloud environment, Qualys continuously indexes new security data from sensors that are always on. And coupled with its ElasticSearch clusters —a powerful search and analytics engine that quickly processes big data—customers can see the big picture instantly.

With a click, customers can view all of their IT assets in two seconds thanks to the more than 250 billion data points indexed. “Today we can scan every IP address and website on the planet,” Courtot says. “Wherever we put our cloud agents, we have a continuous view of what changes on these devices. We’re analyzing in real-time what’s coming in and out of the devices and bringing it together in one place, giving our customer the immediacy and global visibility they now need”

While Qualys was one of the first SaaS security companies in existence, the model’s user-friendly philosophy remains true today even as the technology changes. Qualys implements updates day and night and develops new releases every four weeks. The CEO explains that Qualys will continuously reinvest profits to add more and more services to its already massive base of existing customers. “Everybody wins. Our customers win because we reduce their cost. We provide them with higher quality applications. For us, we earn our keep,” Courtot says. “And as long as our customers renew their subscriptions, we can live forever, and if they adopt our new services we can continue to grow forever.”